Dahua, the world’s second-largest maker of “Internet of Things” devices like security cameras and digital video recorders (DVRs), has shipped a software update that closes a gaping security hole in a broad swath of its products. The vulnerability allows anyone to bypass the login process for these devices and gain remote, direct control over vulnerable systems. Adding urgency to the situation, there is now code available online that allows anyone to exploit this bug and commandeer a large number ofIoT devices.
On March 5, a security researcher named Bashis posted to the Full Disclosure security mailing list exploit code for an embarrassingly simple flaw in the way many Dahua security cameras and DVRs handle authentication. These devices are designed to be controlled by a local Web server thatis accessible via a Web browser.
That server requires the user to enter a username and password, but Bashis found he could force all affected devices to cough up their usernames and a simple hashed value of the password. Armed with this information, he could effectively “pass the hash” and the corresponding username right back to the Web server and be admitted access to the device settings page. From there, he could add users and install or modify the device’s software. From Full Disclosure:
“This is so simple as:
1. Remotely download the full user database with all credentials and permissions
2. Choose whatever admin user, copy the login names and password hashes
3. Use them as source to remotely login to the Dahua devices
“This is like a damn Hollywood hack, click on one button and you are in…”
Bashis said he was so appalled at the discovery that he labeled it anapparent “backdoor” ― an undocumented means of accessing an electronic device that often only the vendorknows about. Enraged, Bashis decided to publish his exploit code without first notifying Dahua. Later, Bashis said he changed his mind after being contacted by the company and agreedto remove his code from the online posting.
Unfortunately, that ship may have already sailed. Bashis’s exploit code already has been copied in several other places online as of this publication.
Asked why he took down his exploit code, Bashis said in an interview with KrebsOnSecurity that “The hack is too simple, way too simple, and now I want Dahua’s users to get patched firmware’s before they will be victims to some botnet.”
In an advisory published March 6, Dahua said it has identified nearly a dozen of its products that are vulnerable, and that further review may reveal additional models also have this flaw. The company is urging users to download and install the newest firmware updates as soon as possible. Here are the models known to be affected so far:
DH-IPC-HDW23A0RN-ZS
DH-IPC-HDBW23A0RN-ZS
DH-IPC-HDBW13A0SN
DH-IPC-HDW13A0SN
DH-IPC-HFW13A0SN-W
DH-IPC-HDBW13A0SN
DH-IPC-HDW13A0SN
DH-IPC-HFW13A0SN-W
DHI-HCVR51A04HE-S3
DHI-HCVR51A08HE-S3
DHI-HCVR58A32S-S2
It’s not clear exactly how many devices worldwide may be vulnerable. Bashis says that’s a difficult question to answer, but that he “wouldn’t be surprised if 95 percent of Dahua’s product line has the same problem,” he said. “And also possible their OEM clones.”
Dahua has not yet responded to my questions or request for comment. I’ll update that here if things change on that front.
This is the second time in a week that a major Chinese IoT firm has urgently warned itscustomers to update the firmware on their devices. For weeks, experts have been warning that there are signs of attackers exploiting an unknown backdoor or equally serious vulnerability in cameras and DVR devices made by IoT giant Hikvision .
Writing for video surveillance publication IPVM , Brian Karas reported on March 2 that he was hearing from multiple Hikvision security camera and DVR users who suddenly were locked out of their devices and had new “system” user accounts added without their permission.
Karas said the devices in question all were set up to be remotely accessible over the Internet, and were running with the default credentials (12345). Karas noted that there don’t appear to be any Hikvision devices sought out by theMirai worm ― the now open-source malware that is being used to enslave IoT devices in a botnet for launching crippling online attacks (in contrast, Dahua’s products are hugely represented in the list of systems being sought out by the Mirai worm .)
In addition, aprogrammer who has long written and distributed custom firmware for Hikvision devices claims he’s found a backdoorin “many popular Hikvision products that makes it possible to gain full admin access to the device,” wrote the user “Montecrypto” on the IoT forum IPcamtalk on Mar. 5. “Hikvision gets two weeks to come forward, acknowledge, and explain why the backdoor is there and when it is going to be removed. I sent them an email. If nothing changes, I will publish all details on March 20th, along with the firmware that disables the backdoor.”
According to IPVM’s Karas, Hikvision has not acknowledged an unpatched backdoor or any other equivalent weakness in its product. But on Mar. 2, the company issued a reminder to its integrator partners about the need to be updated to the latest firmware.
A special bulletin issued Mar. 2, 2017 by Hikvision. Image: IPVM
“Hikvision has determined that there is a scripted application specifically targeting Hikvision NVRs and DVRs that meet the following conditions: they have not been updated to the latest firmware; they are set to the default port, default user name, and default password,” the company’s statement reads. “Hikvision has required secure activation since May of 2015, making it impossible for our integrator partners to install equipment with default settings. However, it was possible, before that date, for integrators to install NVRs and DVRs with default settings. Hikvision strongly recommends that our dealer base review the security levels of equipment installed prior to June 2015 to ensure the use of complex passwords and upgraded firmware to best protect their customers.”
ANALYSISI don’t agree with Bashis’s conclusion that the Dahua flaw was intentional; It appears that the makers of these products simply did not invest much energy, time or money in building security into the software. Rather, security is clearly an afterthought that is bolted on afterwards with these devices, which is why nobody should trust them.
The truth is that the software that runs on a whole mess of these security cameras and DVRs is very poorly written, and probably full of more security holes just like the flaw Dahua users are dealing with right now. To hope or wish otherwise given what we know about the history of these cheap electronic devices seems sheer folly.
In December, KrebsOnSecuritywarned that many Sony security cameras contained a b
