Dahua Devices Dangerously Exposed To Cybersecurity Hack

Dahua Technology

Dahua, the world’s second-largest maker of “Internet of Things” devices like security cameras and digital video recorders (DVRs), has shipped a software update that closes a gaping security hole in a wide range of its IP-cameras and DVRs. The vulnerability allows anyone to bypass the login process for these devices and gain remote (and direct) control over vulnerable systems. Adding urgency to the situation, there is now code available online that allows anyone to exploit this bug and commandeer a large number of IoT devices.

On March 5, a security researcher named Bashis posted to the Full Disclosure security mailing list exploit code for an embarrassingly simple flaw in the way many Dahua security cameras and DVRs handle authentication. These devices are designed to be controlled by a local Web server that is accessible via a Web browser.

That server requires the user to enter a username and password, but Bashis found he could force all affected devices to cough up their usernames and a simple hashed value of the password. Armed with this information, he could effectively “pass the hash” and the corresponding username right back to the Web server and be admitted access to the device settings page. From there, he could add users and install or modify the device’s software.

Travis Smith, senior security research engineer for cyber security firm Tripwire, provided the following comments:

“Building security into a product is a process which takes time and money. For device manufacturers, the primary drivers are time to market and keeping the cost low. This creates a difficult environment to create a product which can withstand the watchful eye of white and black hat hackers. “The advice still stands; don’t connect any device to the internet unless it’s absolutely critical. If the device is connected to the internet install updates as soon as possible and keep it on a segmented network, such as a guest wireless network. Should a device become compromised, this will reduce your exposure and limit what a potential hacker has access to.”

Dahua has become aware of this security breach and has been posting updates to the situation on its website. Here are the most recent updates:

March 13, 2017
Dahua Technology Partner Statement

Dear Valued Partner,

We have been diligently sharing our progress with you since a vulnerability issue was discovered early last week. As you may already know, this issue affects some of our recorders and IP cameras. We responded immediately by conducting our own internal testing to confirm the vulnerability and informing all of our resellers, OEM partners, technology partners, and distributors. We issued a series of firmware patches last week to resolve the problem for the affected products, and we will continue to issue additional updates as needed.

The firmware issue was discovered as a result of independent testing and since then we have taken additional preemptive steps to ensure the security of Dahua branded and OEM products by employing third-party cybersecurity companies as well as independent evaluators who have been conducting extensive penetration tests.

If you believe that your Dahua product has been affected please reach out to our tech support team so we can help you allocate the correct firmware update for your product.

We appreciate your patience and your business.

Dahua Technology USA
877-606-1590

March 8 2017
Cybersecurity Vulnerability Update

We would like to extend our appreciation for your patience while we try to resolve the vulnerability issue that was encountered at the beginning of the week. After extensive research and testing, we have created firmware updates that will resolve this issue in all affected devices.

Our highest priority is customer satisfaction. We will be deploying a special team to coordinate our efforts in reaching each and every dealer personally to discuss your needs, provide new firmware, and support you in updating all affected devices.

We understand that the success of your business relationships depends in part on the reputation of the brands you sell. As such, we will do everything we can to stand behind you and build trust in the Dahua brand.

We will be reaching out to you shortly. In the meantime, please don’t hesitate to call our tech support team at 877-606-1590 or visit our cybersecurity webpage for more information.

We appreciate your partnership.
Thank you,
Dahua Technology USA

March 6, 2017
Cybersecurity Statement

Dear Valued Customer / Partner,

We were recently made aware of a cybersecurity vulnerability that affects a number of our recorders and IP cameras. It’s important to note that the vulnerability is not the result of a malicious attack on any specific installation where our products are deployed. The vulnerability was discovered by Bashis conducting independent testing of various suppliers’ surveillance products who brought this to our attention.

Our extensive team of engineering and security specialists have been conducting exhaustive tests across our comprehensive surveillance offering and have isolated a small piece of code that caused this vulnerability. We are developing a series of firmware patches to alleviate this issue along with the information you need to implement these proactive updates. Our technical team will also be available if you would like our assistance installing these firmware updates. We will update our cybersecurity page on our website to reflect the available batches for the affected product. (http://www.dahuasecurity.com/en/us/cybersecurity.php)

Please rest assured that Dahua has taken immediate action to address this situation, and will continue to work towards implementing surveillance solutions that provide the highest levels of security and integrity.

Dahua greatly appreciates your business/partnership and welcomes any feedback or questions you may have.

Thank you,
Dahua Technology USA

Source: dahuasecurity.com
0 Comments