Dahua Recorders Mass Hacked

Published Sep 25, 2017 12:53 PM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.

Dahua recorders are being hacked and vandalized around the world, as confirmed by dozens of reports to IPVM since the attacks surged 5 days ago.

IPVM Image

Key points:

IPVM Image

  • If you have Dahua recorders and you port forwarded it (as they unfortunately recommend [link no longer available]), check your recorders immediately for impact.
  • Disable port forwarding immediately and block public access to these recorders.
  • Try to upgrade firmware, if possible for your units, though Dahua regularly had challenges distributing firmware for various models and partners.
  • If you have one of the many Dahua OEM recorders (e.g., ADT who we have confirmed multiple reports), disable port forwarding and contact your manufacturer.
  • Dahua has still not made any public statement, continuing a trend of poor communication.

Inside, we share full details of the reports we have and the technical elements / vulnerabilities behind this.

Hacked Overview

Based on screen caps and log files submitted to IPVM and posted in public forums, hacked systems will show black images from the camera and display "HACKED 1, HACKED 2, etc." on each camera feed:

IPVM Image

The video will be black, as the hacker changes the exposure to effectively hide / block out the video feeds, as shown again below:

IPVM Image

And below is a log file sample from CCTV Forum that shows some of the changes made:

IPVM Image

Victims Seeking Help

Dahua has not issued any statements on these hacks, their most recent US cyber security update is July 2017 [link no longer available]. Search traffic to IPVM for terms relating to 'Dahua hack' show a ~500% surge above average for the past week:

IPVM Image

Sample Reports

IPVM has received numerous reports and cataloged other reports across the Internet including:

I have over 60 dvr that are old and new that are less than 6 months old both branded and unbranded have been severely hacked. Phone has been ringing off the hook. Dahua keeps sending me a year old firmware.

They hackers turned off the camera feed to the four channels and locked out access to turn them back on. There were changes made to color setting, general network, and channel name.

I had a client reach out to me at around 0900 eastern this morning to tell me two of four sites DVR's were sitting with a black 4 pane screen and where the cam info usually sits, it said "hacked." By 2100 eastern time the other two sites went down with the same issue.

Tonight a family member called me and told me their Dahua DVR was showing "hacked" as all the camera titles. I went over to their house and looked at it, and indeed it had been hacked. About an hour later I get a text from an old co-worker... his DVR also showed hacked, also a Dahua. The unit was logged into, some data was changed that caused the screen to go black, and the camera names were changed to Hacked 1, Hacked 2, Hacked 3 and Hacked 4. My main admin account had the password changed, not sure about the secondary.

My cameras say they are "Hacked." I called Dahua in California and they refused to offer any explanation or assistance other than pointing me to their cyber security PDF bulletins online which were of no help to my situation. They simply refused to talk to me other than to say read the bulletins and that's all they were going to say.

An Italian distributor posted about massive problem from the Dahua hacks:

In the last few days, news of a huge hacker attack on the Italian network has blocked nearly 6,000 Dahua recording apps, only from our channel, over 800 calls between September 19 and 21, regarding Dahua Hackerati recorders. [emphasis IPVM]

And a Greek Dahua partner posted a LinkedIn item:

IPVM Image

He later deleted the item.

And this Facebook item cited several national chains impacted with Dahua responding that the person was lying:

IPVM Image

A key clue to the hacks came from a person who emailed IPVM:

I stopped by one of our old customers today to look at his DVR, looks like the local only account 888888 was accessed via the internet.

The 888888 Account

Dahua recorders ship with a special '888888' account which is only supposed to work locally. However, according to security researcher bashis, the validation to determine if the client is local to the recorder is done by the client and not the recorder. This means that a malicious client could be formed to use the 888888 account, and tell the recorder it is local, even if it is logging in from a remote network.

We believe that this '888888' exploit has been fixed in newer Dahua firmwares but Dahua is poor at communicating what is changed, when it is was changed and for what models it has been changed.

These attacks are likely bashed on the bashis discovered backdoor from March 2017 where this vulnerability is cited:

IPVM Image

Technical Analysis

Presence of the Dahua special '888888' account, and internet access to port 37777, are the two factors impacted systems reported to IPVM have had in common. Users with non-default admin passwords have reported hacks to their systems. In a number of cases, users were running latest available firmware, particularly in the case of OEM models.

Based on the number and geographic diversity of systems reported as attacked, this looks to be an automated attack, with victims picked at random from Shodan or similar scans. The attack adjusts settings on connected cameras to make the image black, but does not touch recorded video, or lock the user out of the system. This makes the attacks similar to Brickerbot in nature, attempting to call attention to the devices poor security, not render it inoperable or enroll it in a botnet.

Dahua Many Vulnerabilities

Dahua has had a number of reported vulnerabilities in products. Dahua cameras and recorders fueled the Mirai botnet in 2016, leading to some of the largest DDoS attacks on victims ever (Dahua also claimed themselves as a victim of Mirai).

This was followed up by bashis' Dahua backdoor discovery in March 2017. This also impacted key partners, such as FLIR, forcing them to deal with Dahua's poor security implementation. A Dahua buffer overflow vulnerability was discovered in July 2017, though no known exploits of this have been seen (yet). Multiple vulnerabilities have also been found in Dahua's DHI-HCVR7216A-S3 [link no longer available] recorder, including cleartext passwords, auto-admin login allows data sniffing, admin password bypass, unencrypted communications allows man-in-the-middle attack.

Vote / Poll

Dahua Responds / Buries Attacks

Dahua has issued a press release in response to these attacks obscurely titling it, "Dahua USA Launches Latest Cybersecurity Initiatives [link no longer available]". The hacks are not mentioned until paragraph 3:

IPVM Image

Two important problems to note: These other 'leading' manufacturers are Dahua's own customers / OEMs. The way Dahua phrases it implies that this is some general issue across independent manufacturers but what really is a Dahua defect that Dahua delivered to both their branded and OEM customers. Moreover, the release tries to blame the attacks on default passwords but the critical problem is Dahua's own vulnerability that allowed remote attackers to fake local access to hack the Dahua recorders with the 'local only' 88888888 account.

Comments (163)
JH
John Honovich
Sep 25, 2017
IPVM

The upside of this is that dealers will start appreciating the downsides of buying lower priced items that have expensive longer term costs. Consider the Dahua dealers that need to explain why this is happening, why they recommended these products, and deal with servicing those systems.

The excuse that any product can be 'hacked' is exposed when you see the type of fundamental errors and poor response underlying Dahua's situation here.

(8)
(1)
(1)
UD
Undisclosed Distributor #2
Sep 25, 2017

Much better that we saw this coming quite a while ago and got out ASAP! For a while we thought no one in the industry cared about actual security. Maybe I was just ahead of the curve.

(2)
(1)
UM
Undisclosed Manufacturer #13
Sep 26, 2017

The upside of this is that dealers will start appreciating the downsides of buying lower priced items that have expensive longer term costs. Consider the Dahua dealers that need to explain why this is happening, why they recommended these products, and deal with servicing those systems.

Because people  likes cheap stuff here too much, they just love it that make them to pay less。

Avatar
Mick Brown
Sep 26, 2017

seriously what alternatives are there 

at these price points 

it must originate from china with same inherent issues

 

(1)
JH
John Honovich
Sep 27, 2017
IPVM

at these price points

it must originate from china with same inherent issues

I do wonder at what point these companies factor in the higher support and cybersecurity costs involved. The West is different than China in these respects and, as these manufacturers absorb those costs, I could see this become a factor in stopping the fall of pricing and/or increasing prices to cover that. 

JH
John Honovich
Sep 25, 2017
IPVM

Hikvision: “We shipped millions of IP cameras with a backdoor so simple a 5 year old could exploit it. We are #1”

Dahua: “Hold my beer.”

(4)
(1)
(1)
(45)
U
Undisclosed #3
Sep 25, 2017
IPVMU Certified

 

(46)
U
Undisclosed #3
Sep 27, 2017
IPVMU Certified

*Satire

(2)
Avatar
Kyle Folger
Sep 27, 2017
IPVMU Certified

I wish it were true and that it occurred before any exploits were found because then it would seem that they actually tried to prevent exploits and cared about cyber security. 

U
Undisclosed #3
Sep 28, 2017
IPVMU Certified

I wish it were true and that it occurred before any exploits were found 

Ah, actually it is true in a sense; the joke I was trying to make (but may have muddled accidentally), was exploring what the ultimate shameless spin that Dahua could put on the fact that they were hacked by bashis multiple times.  

 

 

Avatar
Kyle Folger
Sep 28, 2017
IPVMU Certified

No I got the joke. I was meaning it would have been nice for Dahua to have put this out because of the fact the patches were released and they had paid Bashis to find the exploits. Yes, Dahua could spin it the way you wrote it. I would just like to see the manufacturers pay for pen testing before releasing all their products. 

UE
Undisclosed End User #4
Sep 28, 2017

With possible payments comes NDA (Non Disclousure Agreement), and I don't like NDA nor be in dependent position and/or biased.

I like to be independent and impartial in this kind of research, and here are no payments involved.

UE
Undisclosed End User #4
Sep 27, 2017

Dahua are not my preferred target, it's more like D-Link - dig a bit, and you always find something. (quite boring in the long run to be frank)

Axis is however, they provides considerable higher challenge to exploit any findings, since they seems to moving more and more towards the Yocto Project

However, Axis still suffer a bit with some legacy stuff, and I have lately noted they have removed all goodies like netcat, sftpclient, shttpclient, smtpclient.. etc. and introduced ASLR on heap. (bummer)

If all vendors in this industry would try to move towards the Yocto way, I could finally dissect my iRobot and try to see what that camera sees... 

(3)
U
Undisclosed #3
Sep 27, 2017
IPVMU Certified

Dahua are not my preferred target... 

I suppose Dahua should take some comfort there.

Axis is however...

Yes, you beat them at their own game :)

 

MM
Michael Miller
Sep 25, 2017

When will OEM manufactures stop using Hikvision or Dahua?   How many excuses can they make for their OEM partner with all these security issues?  This has to be affecting their reputation and affecting their bottom line. 

 

(11)
UD
Undisclosed Distributor #2
Sep 25, 2017

Partner is a very very loose term with those people. They just want to dump their old junk on you and then release a newer item. Hack? What Hack? Here's a brand new XVR!

(3)
(3)
UI
Undisclosed Integrator #1
Sep 25, 2017

Hackers will always be Hacking no matter the manufacturer

(19)
(4)
JH
John Honovich
Sep 25, 2017
IPVM

Hackers will always be Hacking no matter the manufacturer

Manufacturers who make it easy with poor cybersecurity are the ones who are going to get the hit the hardest. 

Plus since the two biggest volume manufacturers (Dahua and Hikvision) are so poor at cybersecurity, it makes it even more attractive. Lots of targets + easy hacking = top choice for hackers.

(8)
Avatar
Brian Karas
Sep 25, 2017
IPVM

This is true. And it explains why manufacturers need to pay better attention to this, no need to make your products easy to hack. At least require hackers to put some effort into creating exploits. 

(6)
Avatar
Mick Brown
Sep 25, 2017

Email from Dahua:

Hi Mick 

Sorry to cause this issue. We are perparing all general firmware for our OEM customer which should be ready around next Wednesday. Please let you technical talk to Tessie if you need some firmware quickly. And I saw the email between Tessie and Matt. They were trying to solve this issue. 

Best Regards 

Eric

(1)
Avatar
Mick Brown
Sep 25, 2017

are oem dahua partners so unloved they try protect their own brand 

leaving oem partners in the dark

how long can customers go without cctv 

as an immediate fix we in the uk are offering a nominal charge to get another dvr /nvr

until dahua issue us with a workable fix

in the meantime buy a shovel and bury a dahua dvr in a big dark hole

Avatar
Mick Brown
Sep 25, 2017

flir must be crying imagine getting sued by investors for 2 bilion usd 

for not giving full disclosure

wow

someone needs to go through their emails

see what they knew and when

 

(1)
UD
Undisclosed Distributor #2
Sep 25, 2017

To this end; who is most responsible? The manufacturer, the distributor or the installer?

I guess what I'm asking is, how do we get in on the class action lawsuit?

U
Undisclosed #3
Sep 25, 2017
IPVMU Certified

I guess what I'm asking is, how do we get in on the class action lawsuit?

Class-action settlements are never anything worthwhile, in this case you'd be lucky to get $5 and a $50 off any DVR coupon.

(2)
UD
Undisclosed Distributor #2
Sep 25, 2017

Not for my gain...

For public safety. To teach a lesson. To maybe, for once, stop the infection of insecure Chinese hacking aids from a rival nation that seeks to own us. Maybe to get people to WAKE UP.

(6)
Avatar
Mick Brown
Sep 25, 2017

unfortunately the end user or their IT department 

if not on the internet hacking not really possible

but should a corporate adt/flir ipo quoted companies not declare the issue to shareholders investors may have a case for not giving full disclosure

dont use phone app keep it off the internet less risk

 

UE
Undisclosed End User #4
Sep 25, 2017

[IPVM Note: this is from security researcher Bashis]

Dahua Snapshot (07/10/2016): How to Create a More Secure Security System (v1)

19. Use 888888 and 666666 Accounts:

● These accounts can only be used to log in to the system using a monitor and mouse connected directly to the system. You cannot log in remotely using either of these accounts. That is why it is important to lock down the physical location of the device.

Dahua Snapshot (12/3/2017): How to Create a More Secure Security System (v2)

17. Use 888888 Accounts:

● These accounts can only be used to log in to the system using a monitor and mouse connected directly to the system. You cannot log in remotely using either of these accounts. That is why it is important to lock down the physical location of the device.

Dahua Nowdays: How to Create a More Secure Security System (v3)

17. [Not Existing]

 

 

(1)
(6)
(2)
Avatar
Justin Gant
Sep 25, 2017
7PiXL

Now thats ridiculous

UE
Undisclosed End User #4
Sep 25, 2017

Yes.

But below was a stupid responce from Dahua after I reported this issue;

When they released a small "script patch" to transform this

"Group" : "admin",
"Id" : 2,
"Memo" : "888888 's account",
"Name" : "888888",
"Password" : "[obscured]",
"Reserved" : true,
"Sharable" : true
},

to this

"Group" : "admin",
"Id" : 2,
"Reserved" : true,
"Sharable" : true
},

That had this effect

Dahua Backdoor Patch Creates A New User "Null"

 

(1)
(4)
UE
Undisclosed End User #4
Sep 25, 2017

My crosspost from ipcamtalk DAHUA RECORDERS HACKED

There is three aspects with the Dahua backdoor worth considering.

1. You have upgraded Firmware, but not changed default admin and/or 888888 password = You are pwned
2. You have not upgraded Firmware, but changed default admin and/or 888888 password = You are pwned
3. You have upgraded Firmware, and changed default admin and/or 888888 password = You are not pwned (for now)

Simple.

(2)
(1)
JH
John Honovich
Sep 25, 2017
IPVM

2. You have not upgraded Firmware, but changed default admin or 888888 password = You are pwned

Bashis, thanks. Can you elaborate on this? If the upgraded firmware did indeed 'fix' this, why would the user need to change the 8888888 password?

(1)
UE
Undisclosed End User #4
Sep 25, 2017

John,

Newer Dahua has no 888888 account (only admin), but those older Dahua who still has, it's not enough to only upgrade Firmware, admin/888888 password needs to be changed as well.

The fixed Firmware by Dahua is only about the passwd/Account1 backdoor, not the 888888 account.

There are no code in Dahua server that checking if login with 888888 account is local or remote, this is only done locally in the users browser by one simple simple check if username is 888888 (then reject with local browser pop-up) in downloaded Javascript code.- One of the reasons why Dahua removed their false statement from "Best Practice".

The usage of 888888 admin account for remote access, I really don't believe this is anything new (I have seen this also in some bot code), but have only been brought up to the surface now.

My PoC script for the passwd/Account1 backdoor simply download the whole user database, checking for first available admin account to try login with, now it happens that 888888 are the first chosen one - and usually works, since nobody changes this password - since it's supposedly local only.

So, it's very important to maintain both upgraded Firmware AND no default password, not for any account!

Have a nice day

/bashis

(1)
(5)
UM
Undisclosed Manufacturer #9
Sep 26, 2017

@bashis, if devices only had the TCP port for port forwarding open is this hack still possible? e.g. are devices with just the HTTP / HTTPS port vulnerable?  

(1)
UE
Undisclosed End User #4
Sep 26, 2017

Indeed, even with your favorite browser if you bypass the local check of 888888 account in 'loginEx.js'. You could use Burp proxy for instance.

(1)
Avatar
Rich Moore
Sep 28, 2017

I had a client ask me how it was possible that anyone could have gotten the default password to a Dahua recorder.  I asked him to go to google and type in "Dahua Default Password,"  

https://forum.use-ip.co.uk/threads/dahua-default-login-username-and-password.377/

This is the first entry that pops up and is the very reason why anyone who gets any recorder/PC/Laptop/Etc. from any manufacturer should always change the default password.  

UI
Undisclosed Integrator #5
Sep 25, 2017

**Warning: Conspiracy Theory Coming!!**

Is it too far fetched to think that Hik could be behind the hacking of Dahua? Making Dahua look bad would only benefit HikVision. Or is it silly to think Hik has the ability to hack a competitor, while leaving their own product so vulnerable? 

I wish this was a completely ridiculous idea, but alls fair in love and war. This hypothesis is totally supposed to make you laugh, or is it....

(2)
JH
John Honovich
Sep 25, 2017
IPVM

Recall Hikvision devices were mass hacked earlier this year - Hikvision Defaulted Devices Getting Hacked.

I have no idea who is doing it and would not even attempt to guess with the little information we know now. However, if there is some material analysis of the source of these attacks, we would potentially report on that.

UM
Undisclosed Manufacturer #14
Sep 26, 2017

North Korea.....?? They have been heavily involved in Cyber attacks and Kim Jong Un hand picks kids to go into their elite cyber warfare divisions...

Avatar
Mick Brown
Sep 26, 2017

maybe they could knock out a dvr or nvr 

got cheap labour costs

 

(1)
Avatar
Tobias Steiger
Sep 26, 2017

The Highfinance, Rotschild, Soros, Freemansons, Gobalists they are making the roules

UM
Undisclosed Manufacturer #10
Sep 26, 2017

 "Making Dahua look bad would only benefit xxxxx.

 

"cui prodest scelus is fecit" (for whom the crime advances, he has done it). 

 

If you look with that angle, you may notice that Hikvision and Dahua are real threats to their (mostly western) competitors because of their prices. 

And the price is not the only reason: Dahua was one of first 3 manufactureres (with AXIS and BOSCH) who presented their 4K cameras before other competitors.

https://ipvm.com/reports/dahua-4k-test

(actually that 4K cameras release surprised me a lot)

And recently we hear a lot  about HIK and Dahua  problems with hackers. cui prodest

U
Undisclosed #3
Sep 26, 2017
IPVMU Certified

Is it too far fetched to think that Hik could be behind the hacking of Dahua?

See: Should Manufacturers Sponsor Penetration Testing Of Competitor's Products?

UI
Undisclosed Integrator #6
Sep 25, 2017

We sold hundreds of Hikvision NVR's the first few years we were selling IP video and stopped about 18 months ago. Fortunately, we always created complex passcodes and did not use default ports. I am hoping this means those clients won't be affected. Boy am I happy we stopped when we did. We've sent out some mass emails letting people know this is happening and I have spoken to a few clients...it's interesting tho..the clients I've spoken to don't care and arent worried. 

JH
John Honovich
Sep 25, 2017
IPVM

the clients I've spoken to don't care and arent worried.

So if their recorders were hacked, the camera feeds turned to black and the camera names changed to 'hacked X', they would not care?

UI
Undisclosed Integrator #6
Sep 25, 2017

If they actually got hacked I think they might care. When I warned them about the potential vulnerabilities they didn't seem to care that much.

When we find deficiencies during fire alarm inspections we get a similar response. People for the most part just don't care that much. We have a document from the lawyer we have people sign when we make them aware of a problem and they don't want us to address it with fire alarm systems. We're working on the same thing now for our clients who don't want us to come out and upgrade firmware or replace these old cameras systems. 

We've made recommendations for these same clients to upgrade to a different system and offered a discount. A few have taken us up on the offer. We're making it easy by leaving the NVR in place and using the cameras and just installing a new server with a new VMS and keeping the cameras/NVR off the WAN. It's not ideal but it's a cost-effective upgrade that keeps the cameras away from the internet. Our recommendation, of course, has been to upgrade everything but no one has gone for it yet. 

Avatar
Mick Brown
Sep 25, 2017

We should have a fix from dahua tomorrow after a long and unnecessary wait 

we will posting their solution here tomorrow

will apply to

customers with pal

not ntsc 

(3)
U
Undisclosed #8
Sep 26, 2017

Sadly that is the current state of the industry: most don't care or have the cyber security skills of a 7-year old, and those who care and try to make the situation better are simply shrugged off because they cause stress, and taking the free advice requires their audience to first understand what the problem is. That would also mean they acknowledge their system has flaws. Feels bad.

(4)
Avatar
Michael Budalich
Sep 26, 2017
Genetec

so accurate and true. Most people just do not comprehend and explaining how their system is vulnerable goes in one ear and out the other. Like our industry has shown over the years, until something bad happens most people do not want to spend. 

(2)
UI
Undisclosed Integrator #7
Sep 26, 2017

Apparently this has affected FLIR as well. I have an older 8 channel FLIR NVR in one of my garages that I monitor during the day. I noticed earlier today that I was unable to connect to it. Upon arriving home, sure enough, it has been hacked. All of the settings were changed. It didn't matter that I wasn't using default passwords. I had as secure of a password as you can have with only 6 digits. It took me a couple of hours tonight to get it back online. Currently I'm still on hold with FLIR to see if there are any future firmware updates or any help that they can offer. I'm not going to be holding my breath. 

(1)
JH
John Honovich
Sep 26, 2017
IPVM

We are hearing many OEMs are impacted.

I know FLIR more recently has their own cloud service which eliminate the need for open ports that this hack uses. On the other hand, older FLIR units, in particular would be at risk.

(1)
Avatar
Tobias Steiger
Sep 26, 2017

I am happy with Dahua. If you use IT technology, you have the risk of attacks and it dosent matter who is the manufacturer. This is the danger which is comming of success. Without the quality / price ratio, it would be hard for us to make profit.

(1)
(5)
(3)
JH
John Honovich
Sep 26, 2017
IPVM

If you use IT technology, you have the risk of attacks and it dosent matter who is the manufacturer.

It does matter if the manufacturer includes a 'local only' account that has a vulnerability that allows remote attack. That is a defect, not a normal 'IT' 'thing'. Agree/disagree?

(7)
U
Undisclosed #8
Sep 26, 2017

That's a bit like saying if you have someone build you a house, it's business as usual that they forgot to install one wall but covered it with a blanket and assured you everything's fine. Perhaps someone also suggested you should at least have a fence, but you ignored them because you trust the "wall".

Edit: I understand that profit margins matter, and also that essentially every device has security flaws. These are just so basic, awful flaws that they are worthy of ridicule. Maybe in the future a company will emerge that has the skill and cojones to guarantee that their unit is not susceptible to easy attacks. And if it still was, they would humbly apologize, fix, and compensate the damage 50x. Too bold? For those who know they suck, it would be.

(7)
(1)
UD
Undisclosed Distributor #12
Sep 26, 2017

This would be a death sentence to anyone making that statement.  There are many, many super smart people out there who are bored and do this type of thing for entertainment.  This was just a script-kiddie attack by someone who figured out how to adapt the local-only account flaw into a script that has been around bugging dahua stuff for a few years now (it used to create a "system" account and in the account notes said something like "You've been hacked").  In considering the alternatives, this was not malicious.  As far as I have heard, footage has not been lost, hard drives have not been formatted to erase footage, and only the live preview windows were altered, not the actual recorded content.  It could actually be considered a nudge to wake people up and try to get them to secure their equipment and maybe put a bug in the manufacturer's ear to get them to actually give half a hoot about security, which they won't because they: a) just don't care, b) won't add to the cost and detract from the profits or c) just don't know how.

(2)
U
Undisclosed #8
Sep 26, 2017

I agree, some automated script like this is probably just "for teh lulz" and while providing amusement for the initiator, it hopefully also wakes someone up to the security problems. Just like you - I'm sure - I wish most manufacturers/integrators et al. would take it seriously after their customers take a hit.

GS
Gerald Spradlin
Sep 26, 2017
are you also happy with alleged postings from the Mirai botnet author that Dahua products included 60 plus "secret" user and password credentials?
UI
Undisclosed Integrator #11
Sep 26, 2017

I would recommend Dahuas, but not the NVR's...

 

On a job we are pricing now, we just removed a Dahua NVR option..

(1)
JH
John Honovich
Sep 26, 2017
IPVM

Nelly's Security has issued a notice about the hack:

They blame if on default passwords but they leave out the critical point that it was a vulnerability that allowed remotely using the 'local only' account.

(1)
(1)
Avatar
Sean Nelson
Sep 26, 2017
Nelly's Security

When we first learned about the hack, we were under the impression that it was due to usernames & passwords remaining default and having old firmware and/or a combination of the both. All the reports we have had so far were from customers who left their passwords default. Some of our larger previous customers who used alot of Dahua in the past who routinely changed their passwords were not affected as much as other customers who never changed their passwords. So far, we've only had one report of a guy saying that he is very positive that he changed the password to the 888888 account so its possible that even machines with changed passwords were vulnerable. 

Due to the onslaught of inquiries we received yesterday regarding this issue, we wanted to get something up as quick as possible and give a brief overview of the issue for our customers with the information that we have received to get them back up and running as soon as possible without going into deep depths of the technical aspects of how and why the hack occurred as we are still learning ourselves. We will update the site as needed and plan on continuing to educate our current customers about best practices on how to keep their products secure. I've given up along time ago about getting any relevant information from Dahua so unfortunately we have to figure this out the hard way.

(4)
(2)
Avatar
Jon Dillabaugh
Sep 28, 2017
Pro Focus LLC

Sean, I see in your instructions that you are not recommending changing the default port. Is there a reason why that isn’t part of your plan? Is it the difficulty of getting port forwarding configured in the firewall?

UI
Undisclosed Integrator #15
Sep 26, 2017

So far we only had 1 compromised unit and by coincidence its the only one using Dahuas p2p service.

In this device the log shows that the admin account was compromised. Ive double check, and the password was not the default, our password is still operational. The attack also included changing the network settings.

Untill the new firmware is out guess we have to pull the plug on every device..

(1)
(2)
UI
Undisclosed Integrator #16
Sep 26, 2017

I have a Uniden Scanner Radio and monitor my local emergency agencies.  Sometimes I hear an alarm dispatch to one of my customer's homes or businesses.  The other night I heard a local police department being dispatched to a home to investigate a suspicious activity.  The dispatcher said the homeowner has multiple cameras around her home and noticed the monitor is displaying the word "hacked" on all of her cameras. 

Chances are, this is one of the affected systems and this gives you an idea of how some of your clients will be reacting to the problem.  Some people may think they're being targeted or stalked, and may not realize it's happening globally. We don't know if this was a DIY install or something installed by an integrator, not that it makes a big difference.  I don't know what a law enforcement agency would do in this type of matter, they may just document the call with a brief report, especially if the person had the cameras installed because they were, or are currently being, stalked or harassed.

 

(2)
U
Undisclosed #8
Sep 26, 2017

I find it sort of cool you were eavesdropping an emergency report of this particular hack in the wild.

Avatar
Mick Brown
Sep 26, 2017

yes sometimes people forget these are products solutions to safeguard people

women at risk is a common use where the ex comes round to cause trouble

in this light something really should have been put togther more quickly

 

(1)
(1)
UI
Undisclosed Integrator #17
Sep 26, 2017

I see your point.  My counterpoint is that if the client's sole requirement for a security system is that it is cheap... they're kind of asking for it.  It is a risk on their part, measured appropriately or not.  No one hires a 5'2" 100 lbs bodyguard, at any price, for good reason.  Also, much less likely to do so if they also work for a frenemy on the side.

(1)
UM
Undisclosed Manufacturer #18
Sep 27, 2017

But a good guard company wouldn't hire a 5'2" 100lb guard. By hiring them and offering them to their customers they are vetting it as an appropriate solution. If they were offering this individual as a clown and they were then offered a jobs as a guard, then it is the customer's fault.

 

But dahua is offering products that look like professional security products and marketing them to professional customers.

It ends up being buyer beware but a small customer who doesn't do lots of research or have experience with this would have no idea, except that they can't pronounce the name or identify the logo. 

(2)
(1)
Avatar
Rich Moore
Sep 28, 2017

I don't know, there are some short guys that I'd prefer as a bodyguard:

https://www.youtube.com/watch?v=6HvnRvUSHr4

 

JH
John Honovich
Sep 26, 2017
IPVM

Update: 

Dahua Responds / Buries Attacks

Dahua has issued a press release in response to these attacks obscurely titling it, "Dahua USA Launches Latest Cybersecurity Initiatives". The hacks are not mentioned until paragraph 3:

Two important problems to note: These other 'leading' manufacturers are Dahua's own customers / OEMs. The way Dahua phrases it implies that this is some general issue across independent manufacturers but what really is a Dahua defect that Dahua delivered to both their branded and OEM customers. Moreover, the release tries to blame the attacks on default passwords but the critical problem is Dahua's own vulnerability that allowed remote attackers to fake local access to hack the Dahua recorders with the 'local only' 88888888 account.

U
Undisclosed #8
Sep 26, 2017

*bottles Dahua's crocodile tears to sell at a discount later*

As usual, goes to show the typical response of a company responsible for ********: denial, misleading and blaming others. Too bad it only works on clueless people.

(3)
(1)
(1)
UD
Undisclosed Distributor #12
Sep 26, 2017

Apparently it works for everyone because both dahua and hik continue to use this tactic time after time after time without fail.  They just don't care, it will blow over in a few days and they'll have another sale and it will all be water under the bridge until the next time it happens.  If a reseller/installer tries to take a stand by not buying their stuff, they only suffer when they lose customers that insist on the cheap garbage no matter the risks.

(4)
JH
John Honovich
Sep 26, 2017
IPVM

#8, #12, good exchange.

I do agree with #12 that many dealers will blow over in a few days, and these guys will do more sales, etc.

On the other hand, I still think it is going to be damaging. (1) Some dealers (even if it is only 1 out 5) are going to be upset, maybe upset enough to switch, (2) many potential new dealers will hear about this, and make them more wary, increasing sales cost and (3) these companies really need to get to a point where they hold their prices to pay for their heavy sales and marketing expenses. 

My net/net, these companies can take an external marketing position that everything is sunshine and roses all they want but they know inside that they can't absorb these types of problems long term.

MM
Michael Miller
Sep 26, 2017

These issues are going to make it harder and harder for Dahua and Hikvision to get into the enterprise market IMO.   In the last couple of weeks, I am starting to see some changes in our healthcare customers.  Before we worked either with security or facilities but in the last couple of weeks IT is getting involved and wants to know everything.  One of our customers just handed all physical security to there new CSO who promptly started to do pen tests on the network and showed his bosses how easy it is to clone their access cards.  I would not want to be the guy trying to sell him Hikvision or Dahua. 

(2)
(4)
U
Undisclosed #8
Sep 26, 2017

That's fantastic!

(2)
(1)
UI
Undisclosed Integrator #17
Sep 28, 2017

We are seeing some pretty significant pushes in the cyber security items that ride or touch the client network:

1. Antivirus on the VMS server.

2. Carbon Black

3. ACL limitations on remote access

4. SolarWinds deployment

5. Actually taking the time to manage their domains as it applies to the VMS clients

6. Automatic scheduled windows updates

All welcome changes with the possible exception of #2 simply due to the time Carbon Black adds when updating servers.  These are both enterprise accounts.  I believe the news on hacks may be starting to shake them.  For this reason I can guarantee Hik/Dahua would have an incredibly difficult time poaching these Enterprise accounts.

(1)
U
Undisclosed #8
Sep 26, 2017

I guess you're right, at least in the sense that it works way too often. Perhaps imprisoning people with absolute disregard for their ignorant and damaging behavior would deter others from doing the same mistake too often. But hey, it's not like the same doesn't happen in any other sector, including geopolitics, so I'm not holding my breath.

UM
Undisclosed Manufacturer #9
Sep 27, 2017

Most of our hacked machines have had no actual 888888 local accounts but may have had default admin passwords (we have had some reports where all passwords were changed too!) so the attack was done in multiple ways.

Also we actually 1st started to experience reports from recorders that only had P2P setup so this is a concern too going forward....  

(1)
MB
Michael Brumbelow
Sep 26, 2017

I only use Chinese made products on standalone networks. I use Axis if the network is connected to the internet.

(2)
Avatar
Fredrik Ahlsen
Sep 27, 2017

Who would have thought that exposing a device to the internet with default passwords was a bad idea !?! 

I must say I`m a bit supprised to see how many installers thats making this cardinal error.

(4)
U
Undisclosed #8
Sep 27, 2017

To be fair, they were probably just following the instructions: change default admin password, check. Set up port forwarding, check. Get pwned, ****.

(2)
Avatar
Kyle Folger
Sep 27, 2017
IPVMU Certified

I would agree. If you aren’t changing the default password and are on the internet, you don’t deserve to be in business. Yes, Dahua isn’t perfect, but hearing the presence of default passwords is just dumb.

i also don’t understand why you wouldn’t have different passwords for every machine. It’s not that hard to document user names and password.

I have one customer that had a Dahua DVR with all default passwords. The reason for this is that the owner keeps it in a steel lockbox with a custom steel bar with a padlock. It’s not connected to any network. 

U
Undisclosed #8
Sep 27, 2017

While I don't know all specifics of those Dahuas, it doesn't sound unlikely that someone might just buy a recorder, set it up per the Quick Start Guide, reach page 20 where it says:

For security reason, please modify password after you first login.

Fair enough, they do that. That is, they change the password of the admin account that is bolded in the manual, since the "888888" account is defined as "local only". It's plausible someone believes that and just leaves that as default, in case of dementia or something else. On the same page they repeat:

For your own safety, please change your administrator default password after your first login. (emphasis mine)

This makes it sound a bit like the admin account is the one to care of and gives a mixed signal, not making it clear that also the "local" passwords should be changed. The main fault though is the poor implementation of "local only" for the "888888" account, as far as I've understood the issue.

 

Avatar
Kyle Folger
Sep 27, 2017
IPVMU Certified

I have only had one Dahua DVR hacked so far. It was on older firmware using port 8080 and 37777. It’s also the only DVR that has HTTP port forwarded. Every other unit only has 37777. Time of hack was 4:00 a.m. EST Sunday. All passwords were not default and no passwords appeared to have been changed after the hack.

(3)
JH
John Honovich
Sep 27, 2017
IPVM

All passwords were not default and no passwords appeared to have been changed after the hack.

Kyle, to that end, you agree that the hacks are exploiting something beyond default passwords?

Avatar
Kyle Folger
Sep 27, 2017
IPVMU Certified

For sure. On every Dahua that has been connected to the internet I have always changed the 6’s, the 8’s and admin account passwords. I would like to know if the hack was through HTTP port. I stopped opening the HTTP on Dahua DVRs a long time ago unless the customer absolutely needed browser access. That was true for this DVR.

(1)
(2)
JH
John Honovich
Sep 27, 2017
IPVM

Kyle, good feedback. We did get more detailed comments from Dahua overnight but we are still in the process of talking to them and will pass along your input as well as ask some more questions and report back here when we have more details to share.

(1)
Avatar
Christophe Bonavia
Oct 06, 2017
IPVMU Certified

A suggestion would be to use the P2P option with the qr code and an app such as easy4ip. I have heard that the refresh rate is slower than accessing your NVR via port forwarding but this solution I believe is far safer. What are your thoughts on this John?   

http://www1.dahuasecurity.com/products_category/easy4ip-587.html

Avatar
Kyle Folger
Oct 06, 2017
IPVMU Certified

Slower access...to not connecting at all...to I’m not going to trust their security on the cloud and be held hostage if their connection breaks. I tried it with two customers as a test when it was first available...no thanks.

Avatar
Christophe Bonavia
Oct 06, 2017
IPVMU Certified

Thank you for your feedback Kyle. It is appreciated. It is unfortunate that we live in a world where people feel the need to be destructive with other peoples property. These hackers get a buzz out of this kind of destructive challenge when they could be using their intelligence and creative abilities to make our world a much better place. The manufacturer, installer and customer unfortunately wear the brunt of these childish games.     

Avatar
Mick Brown
Sep 27, 2017

the majour number of dahua customers are oem

they have been abandoned by dahua saying that james pulled all the stops at dahua and has now given us firmware for our older dvrs

 

i would like to thank him for fixing this

all those who use pal oem dvr/nvr heres the fix

http://qvisglobal.com/dahua-hack-fix

(1)
JH
John Honovich
Sep 28, 2017
IPVM

The Dahua hacks are getting some interest / attention on Reddit but only one participant correctly was able to explain that this was from Dahua, the rest speculated about what to do / what was going on.

Avatar
Mick Brown
Sep 28, 2017

This is becoming old news

dahua have published a fix 

(1)
(2)
Avatar
Jon Dillabaugh
Sep 28, 2017
Pro Focus LLC

Heading out to fix two more units this morning. They were not my installs. These are IC Realtime units that were installed by alarm techs with ZERO security knowledge. Default everything on these units upon install. Never even changed a single setting. Plug and run. 

(1)
Avatar
Mick Brown
Sep 28, 2017

why easy for customer to do them self

Avatar
Jon Dillabaugh
Sep 28, 2017
Pro Focus LLC

I agree. They have step by step instructions from IC Realtime, but still want a professional to come do the work instead. I told them my business partner was out with appendicitis and they would have to settle for me instead. 

(1)
GS
Gerald Spradlin
Sep 28, 2017

Dahua's market capitalization since January of this year is up 51%. Sitting now at a tidy 10.1 Billion USD. And this is off their 52 week high of a market cap of nearly 12 Billion USD. What's interesting is the five years prior to the publicity Dahua received during the Mirai Botnet exposure, Dahua's stock traded flat , doing essentially nothing for five years. Immediately following the Mirai incident? The stock soared.

In 2015, Dahua realized a value of 4.3 Billion USD. Their stock late 2014 and early 2015 bounced around between 9 and 10 Chinese RMB or about 1.50 US Dollars a share. Since the public exposure to all of the security vulnerabilities, Dahua has gained over 100% in value or nearly 6 BILLION USD. If you are a senior executive at Dahua with company stock, I would imagine you're hoping and praying for more bad press.

Flir/Lorex is obviously Dahua's largest USA buyer now. FLIR stock performance nearly mirrors Dahua since the Mirai incident.

I think Dahua deserves a market capitalization of about 200 hundred dollars.

But being a contrarian here, I do find the irony of the massive wealth created for Dahua management to be extraordinary given the timing of their massive jackpot.

 

(3)
EJ
Eythor Johannesson
Sep 28, 2017

I have had two systems attacked so far at least two or three times each, where would I find this "fix" from Dahua please? Are we talking about firmware upgrade?

Thank you 

Eythor

UE
Undisclosed End User #4
Sep 28, 2017

Firmware upgrade and no default password on any account

Try here, if you can find what you should look for...

http://www.dahuasecurity.com/firmware_111.html

Good luck

UI
Undisclosed Integrator #19
Sep 30, 2017

So bad news. Defaulted and Upgraded a dahua dvr yesterday with new firmware from supplier, changed all default password and was hacked again tonight. Any ideas? 

(2)
JH
John Honovich
Sep 30, 2017
IPVM

Defaulted and Upgraded a dahua dvr yesterday with new firmware from supplier, changed all default password and was hacked again tonight. Any ideas?

Unfortunately, I believe you because we have a heard a few other cases in the past week with same pattern.

Can you share what firmware version that was? It would help us track this back with Dahua.

A big problem with this situation is that because Dahua has had so many vulnerabilities and such unclarity about what firmware fixes what, it is hard to tell what the attackers are using (potentially multiple vulnerabilities) and what versions 'fix' them.

(1)
(1)
Avatar
Sean Nelson
Sep 30, 2017
Nelly's Security

What is your firmware build date and what is your model? We thought we had the latest firmware on some but apparently we didnt. What a nightmare. Issue is dahua isnt putting firmware on their site for ALL of their previous DVRs and its been heel trying to find all of them.

RS
Robert Shih
Sep 30, 2017
Independent

A worst case scenario would probably include the algorithms for the various Dahua password generators out there.

Honestly, this could have played out much worse than it could have if they wanted to do some real damage. Bricking the units, deleting all stored footage, or actively shutting out all other users from access so that defaulting through normal means isn't even possible: these are all things that haven't happened here, but could have and it's a clear indicator that this hacker is just being extra snarky at bringing awareness to insecure practices and firmware in the field of video surveillance.

The method of delivering this public awareness bulletin is a little too "gray" for my tastes (as opposed to being "white"), but the intention is...mostly beneficial to the overall industry.

(3)
(1)
UI
Undisclosed Integrator #19
Sep 30, 2017

The model that was hacked again is HCVR16HS-S2 with a firmware build date of 4/17/2017.  This is what our supplier sent as a fix.

 

(1)
UI
Undisclosed Integrator #20
Sep 30, 2017

I think that may be an incomplete SKU for Dahua. However if you mean HCVR4116HS-S2 then the correct firmware would be V3.200.0004.11.R.20170417 (according to Dahua Rep) so the date seems to correspond. This is the firmware we also were instructed to use in order to patch the 888888 vulnerability. 

 

RS
Robert Shih
Sep 30, 2017
Independent

Have you guys tried deleting the 888888 account altogether?

UE
Undisclosed End User #4
Sep 30, 2017

I would be interested to know what response you will get if you trying these URI's

1) http://<IP>/current_config/passwd

2) http://<IP>/current_config/Account1

3) http://<IP>/current_config/Config1

4) http://<IP>/current_config/user.lua

5) http://<IP>/current_config/a.sh

6) http://<IP>/current_config/b.sh

/bashis

 

UM
Undisclosed Manufacturer #23
Oct 02, 2017

How did you apply the firmware update? Did you just flash it with a usb or apply full image over serial?

UI
Undisclosed Integrator #19
Sep 30, 2017

Yes, the complete model number is HCVR4116HS-S2 and the firmware did not appear to fix the problem.

None of the commands above returned anything but webpage not found.

(1)
UE
Undisclosed End User #4
Sep 30, 2017

Thanks

UI
Undisclosed Integrator #19
Sep 30, 2017

What was your reasoning on the commands above?

UE
Undisclosed End User #4
Sep 30, 2017

Looks to me there is something new found (or old but not fixed), some of these URI's is accessible with the things (backdoor) I've found, and some with earlier fixes from Dahua.

And if you get 404 on all, then there is something new...

U
Undisclosed #3
Sep 30, 2017
IPVMU Certified

bashis, hypothetically speaking, could you devise a simple gray hat fix that could be run remotely, as discussed in Should I Hack 10,000 Dahua Cameras?

UE
Undisclosed End User #4
Sep 30, 2017

U3, I don't want to speculate into who and possible motive, I'm more interested into how, and what I have learned today from above it's most probably not what I've discovered and published.

U
Undisclosed #3
Sep 30, 2017
IPVMU Certified

No, I'm just asking you if think that a remote fix could be created, without the help of Dahua, that would use the 888888 vulnerability to gain access to a device, then do *something* that would disallow 888888 network access, until the owner applies the proper Dahua fix?

I'm not concerned with who or motive either.

UE
Undisclosed End User #4
Sep 30, 2017

Well, if there is a bug is into the Firmware - then no.

If there is somehow, by any chance and for any reason, another account that you cannot change password on that can dump the user database - then yes, maybe.

There is one hidden account with login: default and passwd: tluafed

But this account don't have any direct privileges, so i find it a bit unlikely. (however, there can be a bug - of many others)

I think you see the '888888' as a symptom of the cause, and I have also read about they have only seen 'local' and not '888888'.

I defiantly would suggest to kick all these out of any Internet access, no UPnP and defiantly _not_ start using P2P (!) - P2P opens other crap that you for sure don't want.

Use VPN (or simply SSH with port forwarding), that would help you a lot.

 

 

UE
Undisclosed End User #4
Sep 30, 2017

Another thing, their firmware are shit loaded with all kind of debugging code, I don't even think they leave out anything from R&D to delivery for customers.

I noted that too in my publishment, where I kindly asked Dahua to remove all this crap out.

(1)
UI
Undisclosed Integrator #21
Sep 30, 2017

We have now seen this hack on systems with no default passwords, no default ports and 2017 firmware.

(1)
UI
Undisclosed Integrator #19
Sep 30, 2017

Are you saying you have experienced the same issue w/ 2017 firmware or restating my incident?

Avatar
Alex Gonzalez
Sep 30, 2017
IPVMU Certified

Let me provide input from our experiences so far with this hack. We have over 300 DVRs our on the field, mainly TVT DVRs/NVRs (75%) and Dahua DVRs/NVRs 20%

We Only had about 10 Dahua DVRs affected some are older models and some have been recent models. Is very inconsistent, I looked at the system log and it shows the user 888888 logged in from the internet from different IP adresses. 

187.87.189.91 (from Brasil)

209.27.51.78 (from USA)

im sure they are running some type of script through Tor or proxy server. 

Hopefully this info can be useful. 

(1)
UM
Undisclosed Manufacturer #22
Sep 30, 2017

What a shambles...can't believe that we now have 2 pages of this tread based on security flaws in kit manufactured by the second largest Chinese manufacturer and many are still openly stating that they will keep using this ****

(2)
EJ
Eythor Johannesson
Sep 30, 2017

What are your thoughts about wether Dahua should announce this puplicly or not, is it theirs to do or not, are they turning a blind eye to this? Does it benefit them to ignore this or do you think they have a solution in hand or are they struggling to come up with a solution?.. And is there one?:-)

UI
Undisclosed Integrator #19
Oct 02, 2017

A couple more points.  I am told by my employee that the updated firmware was not hacked. Don't want to mislead anyone.

An interesting point I noticed after the most recent hack. Previous hacks had changed all channel names to "Hacked".  The last dvr we upgraded had changed the names to hacked but also changed two channels to  "upgrade firmware". The fact that they named those as such doesn't seem to me  like these hacks have malicious intent but maybe another motive.  "Upgrade firmware" Thoughts?

Avatar
Alex Gonzalez
Oct 02, 2017
IPVMU Certified

I feel the same way "no malicious intent" if they had malicious intent they wouldn't let you know DVR was hacked by changing IP, ch name, image color to black. Its more like a warning or informing us of this vulnerability that maybe Dahua ignored.

The worst aspect of it is the lost of trust and customer dissatisfaction because the system we install had poor security. This is my main short and long term concern.

At the same time if Equifax and other major government agencies get hack what can we expect for this DVRs/NVRs/IPCs. 

 

BTW I haven't updated one firmware yet, had a couple of units that got hacked I changed the default network port from 37777 to ***** but got hacked a second time, changed the 888888 psswd and so far hasn't been hacked again.

I'll keep you guys posted and hopefully this can useful to all.

Avatar
Justin Gant
Oct 02, 2017
7PiXL

Did you have any other ports open on the firewall? I wonder how you got hit again with using a nonstandard port. 

U
Undisclosed #8
Oct 02, 2017

Making a trivial google search for the DVR login pages shows that quite a few of them are running on a non-standard port, but it doesn't really help in the end. If the attacker knows that there used to be a device behind some IP, they could just port scan it to find the new port.

Avatar
Alex Gonzalez
Oct 02, 2017
IPVMU Certified

Only http port which I always have change from default, I only use to leave default the 37777 

Yes one of the units fixed in the morning which I only changed default 37777 to ***** was hacked a second time, I changed the 888888 password and so far so good.

The ones done in the afternoon we changed the ports and the 888888 user passwd and none have been hacked again so far.

 

We are eventually going to be updating the FW to all Dahua units that our clients have out there, but im waiting for 100% confirmation of vulnerability patched in new FWs. Which that will be another mission with all the different models and very poorly categorization of FW downloads

UM
Undisclosed Manufacturer #13
Oct 03, 2017

DVR5116H

/Firmware/DVR/DVR5x16/                  General_DVR5x16_Eng_PN_V3.200.0001.24.R.20170929

DVR5x08

/Firmware/DVR/DVR5x08/                  General_DVR5x08_Eng_PN_V3.200.0001.24.R.20170929

DVR5x04

/Firmware/DVR/DVR5x04/                  General_DVR5x04_Eng_PN_V3.200.0001.24.R.20170929

HCVR5104H

/Firmware/DVR/HCVR5104H/             General_HCVR5104H_Eng_N_V3.200.0001.32.R.20170929

HCVR5108H

/Firmware/DVR/HCVR5108H/             General_HCVR5108H_Eng_N_V3.200.0001.32.R.20170929

UE
Undisclosed End User #4
Oct 03, 2017

URL?

RS
Robert Shih
Oct 04, 2017
Independent

Took some time, but I'm loaded up on firmware too now! If anyone needs anything I'm good at magically matching firmware to mystery Dahua models. Ask anyone who buys from me!

Avatar
Sean Nelson
Oct 03, 2017
Nelly's Security

@Dahua: Why dont you just list all your firmwares of every single DVR you have made on your website? Why isnt this a no-brainer for you?

Your Dahua Wiki only shows newer model USA versions.

Why is stuff like this so hard for you to figure out how to do? 

(4)
UM
Undisclosed Manufacturer #9
Oct 04, 2017

They have all the firmware's for past and present models on the international website http://www.dahuasecurity.com/firmware_111.html 

To there credit they went way back to models selling 5+ years ago and applied patches to them (example being DVRxx04LF-A) 

You will need there up to date firmware matrix sheet to match all the firmware types to the exact models....

Avatar
Sean Nelson
Oct 04, 2017
Nelly's Security

Wow this is great. I swear when I posted this, that was not there. Did they just add this recently?

Where does one get the matrix sheet?

UM
Undisclosed Manufacturer #9
Oct 04, 2017

That link is to the Dahua international website, Dahua USA website as typical with Dahua is different in most ways and Dahua USA clearly don't care too much about legacy models.

If you go into the products on the international website you will see a firmware tab where you will also see the firmware type used for the product. 

Dahua for some reason don't publish the firmware matrix sheets publicly. If you are looking for details on a particular model, just ask.

Avatar
Sean Nelson
Oct 05, 2017
Nelly's Security

Anybody got firmware for Old School Dahua NVR3xxx ?

GC
Greg Cortina
Oct 04, 2017

Our page has been updated.

http://www.flir.com/securityinfo/

FLIR has been pushing updates to Cloud Connected models and users or dealers can accept these updates locally at the machine or through the CMS software and App.

Please read the instructions carefully.

Avatar
Sean Nelson
Oct 04, 2017
Nelly's Security

If for some reason you guys may be having trouble updating really old firmwares. Dont forget to change your file name to update.bin

Back in the day, a device wouldnt take the firmware unless it had this file name

Avatar
Christophe Bonavia
Oct 04, 2017
IPVMU Certified

We had a 16 channel Dahua NVR returned to us yesterday that had been hacked. It had the words hacked as the username under the PPPOE settings. We performed a factory reset and all came good and was working again. We will be recommending that the default username and password are removed once a new user has been created. I hope that more development time is spent on protection from the outside in future. This is detrimental to businesses that rely on security systems.  

(1)
(1)
Avatar
Jon Dillabaugh
Oct 05, 2017
Pro Focus LLC

I will start out by disclosing that I am out of town and not physically on site to inspect my clients’ Dahua based recorders, but I have reason to believe they have been hacked again. My clients have been locked out and can not access their Dahua based recorders. They claim the first four cameras are black screens again, but this time they didn’t change the channel labels to HACKED.

Two of these specific units were IC Realtime units that I defaulted and upgraded just last week. I changed all account credentials as well as all port numbers. Only one port was open to the internet, the TCP mobile port (normally 37777 for Dahua). All other ports were closed on the firewall.

I will update this post more when I get back in town and do some more digging first hand. 

(2)
U
Undisclosed #8
Oct 05, 2017
  • Only one port was open to the internet

WHY? How can it be so hard to not ever do such things?

Avatar
Kyle Folger
Oct 06, 2017
IPVMU Certified

Just like how hard can it be to make a damn security product somewhat secure and not be victim to elementary attacks and then act clueless, as a manufacturer, to what’s going on. 

(2)
U
Undisclosed #8
Oct 06, 2017

The manufacturer should of course have a clue first and provide secure options out of the box, or recommend alternatives if those don't fit. But this is just one of ongoing threads here about the poor security of those devices. It should be  obvious at this point that their security alone can't be trusted and simply resetting the device after a hack is not sufficient if it can still be poked over the internet. VPNs have been around for a couple of decades now, some cameras even have SSH but I'm not sure if it's used much in the industry.

The devices certainly have enough resources to run stuff like Tinc, but I think what's needed here is mostly effort from the manufacturer to turn secure remote access into a no-brainer, and stop giving poor advice to users.

As it's seemingly impossible for manufacturers to succeed in this, maybe someone should just make a 1-day PoC of a simple VPN-type device management appliance on a cheap, $10 embedded computer (or any available computer) that you could just plug in without complex configuring when installing the security gear. Hopefully some corporation would then steal that, make it a bit fancier and bake it into a mandatory step in the installation of their devices and of course provide it for free.

While all software has flaws, I'm much more comfortable having a public facing SSH server with key-only authentication than a seriously broken web interface riddled with holes.

Jon, if you care to disclose more information about the networking requirements of your client, perhaps we would have some suggestions to improve the security.

(1)
U
Undisclosed #8
Oct 07, 2017
Avatar
Jon Dillabaugh
Oct 06, 2017
Pro Focus LLC

It isn’t hard. But it does cost money. This particular client is a penny pincher. At some point, if you add up my time dealing with these issues, it would have paid for a few VPN routers. 

(1)
(1)
U
Undisclosed #8
Oct 06, 2017

I understand. If money wasn't the issue, then time would be anyway. All this stuff should be made as simple and straightforward to use as possible by default, even for the end user.

Avatar
Jon Dillabaugh
Oct 10, 2017
Pro Focus LLC

OK, so these particular IC Realtime units did not get rehacked. They had a PSU die at one site, which they assumed was another hacking incident. False alarm.

(1)
EJ
Eythor Johannesson
Oct 06, 2017

I had couple of two year old 4216nvr's hacked two or three times, I upgraded one of them to see what would happen (was running old firmware since 2015).  Just changed names of cameras from ""hacked" and network back to what it was before and it is still good.  It has port 37777, 37778, 554, 443, 8080 forwarded still and same users and password as before (no not default of course).

The other nvr, same type with same old firmware I changed everything for third time on the same day as I upgraded the other one, well it got hacked very soon after as before but in this time changed the name of one or two cameras from the usuall "hacked" to "firmware"...

(1)
UM
Undisclosed Manufacturer #9
Oct 06, 2017

Unless you upgrade to the latest security patched firmware changing all the other things won't make any difference!

1st Generation 4 Series NVR's use NVR4xxx firmwware type, so download DH_NVR4xxx_Eng_P_V3.203.0000.0.R.20170612 from Dahua download page http://www.dahuasecurity.com/firmware_171.html 

Or just contact with whomever you purchased it from.

(1)
Avatar
Jon Dillabaugh
Oct 06, 2017
Pro Focus LLC

This particular client purchased the IC Realtime DVRs from a local locksmith company. They couldn’t figure out how to unhack the DVR, so they called me in to do it. 

I was contacted by Steve Reader from ICR last week when I made a post here. He was very helpful in getting the units firmware upgraded to his latest release (2015), but obviously that firmware is still vulnerable. 

If that is the end of the line for these units, they will just need to get unplugged from the net or replaced with something newer that is more difficult to hack. Might be a good time to switch them out to DW Spectrum!

U
Undisclosed #8
Oct 06, 2017

Even though some particular device was more difficult to hack directly (which would be great too), it wouldn't hurt to also have simple and efficient network security in place that needs to be hacked first.

(1)
U
Undisclosed #3
Oct 06, 2017
IPVMU Certified

They couldn’t figure out how to unhack the DVR, so they called me in to do it.

"If you're seeing things, running on your 'head'" 
"Who ya gonna call? Jon Dillabaugh!"

(1)
U
Undisclosed #8
Oct 06, 2017

but in this time changed the name of one or two cameras from the usuall "hacked" to "firmware"...

It's as if the hacker was trying to say something...

EJ
Eythor Johannesson
Oct 06, 2017

You think? 

UE
Undisclosed End User #24
Oct 06, 2017

The cost of VPN's become negligible when I read stuff like this...

Avatar
Alex Gonzalez
Oct 16, 2017
IPVMU Certified

Bad news from my end. The DVRs/NVRs that i thought i fixed by changing the port and 888888 password were hacked again!!!

I have no choice but to upgrade the FW, the questions are, how do i know what FW to upgrade to? the versions are all over the place, there are units that the latest FW is from March, how do we know if that version patched the vulnerability? and how that hell do we match the units to the the right firmware when there is so many different models?

This is insane, luckily we don't have many Dahua units out there and after this there will not be any other. If it wasn't for this place we wouldn't know where to turn to. Dahua has handle this very poorly, they should of been contacting all distributors to get ahead of this. Instead of leaving us who deal with the end clients with egg on our face.

(2)
Avatar
David Delepine
Oct 16, 2017
Brivo • IPVMU Certified

Call Dahua tech support or your rep directly and give them the unit serial number. They should be able to direct you to the correct firmware. Be warned, they will not give you FW without the serial number because if it is the wrong FW it could brick the unit. Hope this helps, and btw expect long wait times as they are surprisingly busy lol

(1)
(1)
UE
Undisclosed End User #4
Oct 16, 2017

 

and 888888 password

50% done

no choice but to upgrade the FW

50% left

how do we know if that version patched the vulnerability?

Very good question! Dahua?

how that hell do we match the units to the the right firmware when there is so many different models?

Another good question! Dahua?? o_O

 

Avatar
Kyle Folger
Oct 16, 2017
IPVMU Certified

Just out of curiosity, what port number did you change the recorder to and what ports were left open to the Internet?

Where did you buy the recorders from and are they Dahua branded?

Robert Shih is very helpful at tracking down and getting the firmware needed. At least Hikvision knows how to version firmware and it's relatively easy to find IF it's Hikvision branded. This is not the case with Dahua. 

The latest firmware I installed for a CVI recorder that was recently hacked was R.20170417. I thought I only had one Dahua with HTTP opened. This was a second one. Only the mobile port is open after the firmware upgrade. This apparent hack didn't do anything but reset unit to default credentials so it essentially was left open on default to the world. All passwords on all accounts were not default on this recorder including 888888. It was an older firmware.

On another note, I did install two Ring Doorbell Pro cameras at a client's house. I found them to install easily and worked really well. I also did some searching on Ring hacks and it seems that at one point they could be hacked. However, the company had responded that the hack was already addressed with new firmware and those devices update automatically.

I understand the stance on automatic firmware updates and it seems to come down to how much one trusts a company to enable such a thing. While I like the idea of automatic updates, I am more inclined to trust Nest or Ring than I am to trust a Dahua and Hikvision because I can't even stand Dahua SmartPSS and Hikvision iVMS-4200. Knowing the history of exploits from both companies, I don't know that I can trust them with auto updates until it's widely known and proven that they are doing independent pen testing on all products.

Avatar
Brian Karas
Oct 16, 2017
IPVM

Alex -

What is the model # of the unit? We can contact Dahua and help you find the right firmware.

 

Avatar
Sean Nelson
Oct 16, 2017
Nelly's Security

we just found out that some of our really old units out in the field will require a TFTP upgrade to get them to the latest firmware and trying to update it the regular way is not working on certain specific models. 

(1)
Avatar
Brian Karas
Oct 16, 2017
IPVM

Sean - does that mean an on-site visit then?

Avatar
Sean Nelson
Oct 16, 2017
Nelly's Security

unfortunately, with customers spread throughout the USA, that would be difficult to achieve. However, we are allowing the customers to send them back to us so we can TFTP them here, but unfortunately that means having no surveillance for a couple of days for the custy. TFTP'ing a Dahua DVR is much more difficult to do than a Hikvision. You have to have a special RS-232 cable for it, cant simply be done over a network connection.

(1)
Avatar
Alex Gonzalez
Oct 16, 2017
IPVMU Certified

Thank you so much for the response guys, greatly appreciated.

Im in the Dahua Wiki trying to make sense of the right FW. 

I just been so reluctant to upgrading the FW because Dahua hasn't confirm that the newest FW has patched the vulnerability. I guess we just have to update to the latest and cross our fingers is patched? 

I prefer not to disclose what ports I use, but I can tell you that they are far from the default, and i open both the HTTP and TCP to access them remotely.

I agree with you I wouldnt feel safe setting up automatic updates even if it was available. Specially with their track record and the disregard they have for they clients.

It seems to me that all this companies (Dahua and Hik) dont give much shit about their reputation with the attention and reactions to this and past hacks. They just care about selling selling selling "we got hacked" "who cares?" Lets sale more, is they attitude

 

UM
Undisclosed Manufacturer #9
Oct 23, 2017

Is this article relating to this Dahua hacking incident:

https://www.bleepingcomputer.com/news/security/a-gigantic-iot-botnet-has-grown-in-the-shadows-in-the-past-month/ 

Avatar
Brian Karas
Oct 23, 2017
IPVM

Not directly related, but it is something we are actively watching/investigating.