Pierluigi Paganini March 08, 2017

The manufacture Dahua Technology has started releasing firmware updates fix a serious flaw in some models of its video recorders and IP cameras.

Security experts believe the flaw is a true backdoor that could be used to remotely access the user database containing usernames and hashed passwords.

The backdoor was discovered by a researcher that is known online as “bashis.”

Once the attacker gains the administrator credentials stored in the database, he can be used to log in to the device. Representatives at the company Dahua admitted the issue and classified it as a ‘coding issue’ that was not done intentionally.

Of course, the researcher who discovered the flaw expresses skepticism of the error claim.

According to an analysis shared by IPVM, the password hashes can be used directly to log in, in fact, there is no need to crack them.

Bashis did not report the issue to Dahua, initially, he also released a proof-of-concept (PoC) exploit code that was later removed by the researchers due to a request of the manufacturer.

On April 5, the researchers made against available online the PoC.

Dahua replied with a security bulletin that admits the presence of the error in the code of its devices.

“We were recently made aware of a cybersecurity vulnerability that affects certain Dahua recorders and IP cameras. It’s important to note that the vulnerability is not the result of a malicious attack on any specific installation where our products are deployed; it was discovered by Bashis conducting independent testing of various suppliers’ surveillance products.” reads the security bulletin.

The company published a list of vulnerable devices, users are invited to download and updated the firmware of their devices.

Dahua is still investigating the issues, it is likely that other devices may be affected by the same issue.

The security of IoT devices is crucial, recently I reported in exclusive the news of a large-scale attack launched by a criminal gang leveraging the SSH TCP direct forward attack technique through a thingbot.

According to a report published by FlashPoint, the recent attacks on the Mirai botnet involved a huge number of Dahua devices.

The researchers explained that the botnet was mainly composed of video surveillance devices manufactured by Dahua Technology.

“While investigating the recent large-scale distributed denial-of-service (DDoS) attacks, Flashpoint identified the primary manufacturer of the devices that utilize the default username and password combination known as root and xc3511.” reads a report published by Flashpoint. “The Dahua devices were identified early because of their distinctive interface and recent use in other botnets. Utilizing the “botnets. Utilizing the “Low Impact Identification Tool” or LIFT, Flashpoint was able to identify a large number of these devices in the attack data provided.” states the report.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Dahua,  IoT)