March 10, 2017

Dahua, the world’s second-largest maker of “Internet of Things” devices like security cameras and digital video recorders (DVRs), has shipped a software update that closes a gaping security hole in a broad swath of its products. The vulnerability allows anyone to bypass the login process for these devices and gain remote, direct control over vulnerable systems. Adding urgency to the situation, there is now code available online that allows anyone to exploit this bug and commandeer a large number of IoT devices.

dahuaOn March 5, a security researcher named Bashis posted to the Full Disclosure security mailing list exploit code for an embarrassingly simple flaw in the way many Dahua security cameras and DVRs handle authentication. These devices are designed to be controlled by a local Web server that is accessible via a Web browser.

That server requires the user to enter a username and password, but Bashis found he could force all affected devices to cough up their usernames and a simple hashed value of the password. Armed with this information, he could effectively “pass the hash” and the corresponding username right back to the Web server and be admitted access to the device settings page. From there, he could add users and install or modify the device’s software. From Full Disclosure:

“This is so simple as:
1. Remotely download the full user database with all credentials and permissions
2. Choose whatever admin user, copy the login names and password hashes
3. Use them as source to remotely login to the Dahua devices

“This is like a damn Hollywood hack, click on one button and you are in…”

Bashis said he was so appalled at the discovery that he labeled it an apparent “backdoor” — an undocumented means of accessing an electronic device that often only the vendor knows about. Enraged, Bashis decided to publish his exploit code without first notifying Dahua. Later, Bashis said he changed his mind after being contacted by the company and agreed to remove his code from the online posting.

Unfortunately, that ship may have already sailed. Bashis’s exploit code already has been copied in several other places online as of this publication.

Asked why he took down his exploit code, Bashis said in an interview with KrebsOnSecurity that “The hack is too simple, way too simple, and now I want Dahua’s users to get patched firmware’s before they will be victims to some botnet.”

In an advisory published March 6, Dahua said it has identified nearly a dozen of its products that are vulnerable, and that further review may reveal additional models also have this flaw. The company is urging users to download and install the newest firmware updates as soon as possible. Here are the models known to be affected so far:

DH-IPC-HDW23A0RN-ZS
DH-IPC-HDBW23A0RN-ZS
DH-IPC-HDBW13A0SN
DH-IPC-HDW13A0SN
DH-IPC-HFW13A0SN-W
DH-IPC-HDBW13A0SN
DH-IPC-HDW13A0SN
DH-IPC-HFW13A0SN-W
DHI-HCVR51A04HE-S3
DHI-HCVR51A08HE-S3
DHI-HCVR58A32S-S2

It’s not clear exactly how many devices worldwide may be vulnerable. Bashis says that’s a difficult question to answer, but that he “wouldn’t be surprised if 95 percent of Dahua’s product line has the same problem,” he said. “And also possible their OEM clones.”

Dahua has not yet responded to my questions or request for comment. I’ll update this post if things change on that front.

This is the second time in a week that a major Chinese IoT firm has urgently warned its customers to update the firmware on their devices. For weeks, experts have been warning that there are signs of attackers exploiting an unknown backdoor or equally serious vulnerability in cameras and DVR devices made by IoT giant Hikvision.

Writing for video surveillance publication IPVM, Brian Karas reported on March 2 that he was hearing from multiple Hikvision security camera and DVR users who suddenly were locked out of their devices and had new “system” user accounts added without their permission.

Karas said the devices in question all were set up to be remotely accessible over the Internet, and were running with the default credentials (12345). Karas noted that there don’t appear to be any Hikvision devices sought out by the Mirai worm — the now open-source malware that is being used to enslave IoT devices in a botnet for launching crippling online attacks (in contrast, Dahua’s products are hugely represented in the list of systems being sought out by the Mirai worm.)

In addition, a programmer who has long written and distributed custom firmware for Hikvision devices claims he’s found a backdoor in “many popular Hikvision products that makes it possible to gain full admin access to the device,” wrote the user “Montecrypto” on the IoT forum IPcamtalk on Mar. 5. “Hikvision gets two weeks to come forward, acknowledge, and explain why the backdoor is there and when it is going to be removed. I sent them an email. If nothing changes, I will publish all details on March 20th, along with the firmware that disables the backdoor.”

According to IPVM’s Karas, Hikvision has not acknowledged an unpatched backdoor or any other equivalent weakness in its product. But on Mar. 2, the company issued a reminder to its integrator partners about the need to be updated to the latest firmware.

A special bulletin issued Mar. 2, 2017 by Hikvision. Image: IPVM

A special bulletin issued Mar. 2, 2017 by Hikvision. Image: IPVM

“Hikvision has determined that there is a scripted application specifically targeting Hikvision NVRs and DVRs that meet the following conditions: they have not been updated to the latest firmware; they are set to the default port, default user name, and default password,” the company’s statement reads. “Hikvision has required secure activation since May of 2015, making it impossible for our integrator partners to install equipment with default settings. However, it was possible, before that date, for integrators to install NVRs and DVRs with default settings. Hikvision strongly recommends that our dealer base review the security levels of equipment installed prior to June 2015 to ensure the use of complex passwords and upgraded firmware to best protect their customers.”

ANALYSIS

I don’t agree with Bashis’s conclusion that the Dahua flaw was intentional; It appears that the makers of these products simply did not invest much energy, time or money in building security into the software. Rather, security is clearly an afterthought that is bolted on afterwards with these devices, which is why nobody should trust them.

The truth is that the software that runs on a whole mess of these security cameras and DVRs is very poorly written, and probably full of more security holes just like the flaw Dahua users are dealing with right now. To hope or wish otherwise given what we know about the history of these cheap electronic devices seems sheer folly.

In December, KrebsOnSecurity warned that many Sony security cameras contained a backdoor that can only be erased by updating the firmware on the devices.

Some security experts maintain that these types of flaws can’t be easily exploited when the IoT device in question is behind a firewall. But that advice just doesn’t hold water for today’s IoT cameras and DVRs. For one thing, a great many security cameras and other IoT devices will punch a hole in your firewall straight away without your permission, using a technology called Universal Plug-and-Play (UPnP).

In other cases, IoT products are incorporating peer-to-peer (P2P) technology that cannot be turned off and exposes users to even greater threats.  In that same December 2016 story referenced above, I cited research from security firm Cybereason, which found at least two previously unknown security flaws in dozens of IP camera families that are white-labeled under a number of different brands (and some without brands at all).

“Cybereason’s team found that they could easily exploit these devices even if they were set up behind a firewall,” that story noted. “That’s because all of these cameras ship with a factory-default peer-to-peer (P2P) communications capability that enables remote ‘cloud’ access to the devices via the manufacturer’s Web site — provided a customer visits the site and provides the unique camera ID stamped on the bottom of the devices.”

The story continued:

“Although it may seem that attackers would need physical access to the vulnerable devices in order to derive those unique camera IDs, Cybereason’s principal security researcher Amit Serper said the company figured out a simple way to enumerate all possible camera IDs using the manufacturer’s Web site.”

My advice? Avoid the P2P models like the plague. If you have security cameras or DVR devices that are connected to the Internet, make sure they are up to date with the latest firmware. Beyond that, consider completely blocking external network access to the devices and enabling a VPN if you truly need remote access to them.

Howtogeek.com has a decent tutorial on setting up your own VPN to enable remote access to your home or business network; on picking a decent router that supports VPNs; and installing custom firmware like DD-WRT on the router if available (because, as we can see, stock firmware usually is some horribly insecure and shoddy stuff).

If you’re curious about an IoT device you purchased and what it might do after you connect it to a network, the information is there if you know how and where to look. This Lifehacker post walks through some of the basic software tools and steps that even a novice can follow to learn more about what’s going on across a local network.


32 thoughts on “Dahua, Hikvision IoT Devices Under Siege

  1. RickH

    Will running the Steve Gibson “ShieldsUp” program help the home user in determining if there are open ports on their home system?

    How does a home user (especially non-technical ones) see if devices on their home network are vulnerable?

    1. AmericaWhereAreYou

      Shields Up is a great utility to see whats open.

    2. Mike

      Shields up is good. But even if a non-technical person used it and even managed to somehow see a problem, how would they even be capable of dealing with it (as a non-technical person) short of taking the equipment to a third party? At that point….what’s the point?

      People need to stop seeing this stuff as someone else’s responsibility.

  2. Squiddly

    Gibson Research — Sheildsup was helpful in pointing out that in spite of me firewalling inbound telnet on my zyxel pOs dsl modem, it in fact wasn’t.
    I suppose if someone were to set up a port out of the normal range tested in shieldsup, it won’t find it. Caveat e emptor or whatever it is.

  3. G.Scott H.

    I agree, ShieldsUp is great for finding open ports. Just keep in mind that thanks to UPNP, ports can be reopened at any time by any device. Steve Gibson has very good material on handling UPNP as well.

    It is best to disable UPNP on the router. Brian’s advice on VPN use and referal to howtogeek.com will cover disabling UPNP and other issues involved with connecting IoT devices.

    For my home network, I have the skill to implement what Brian recommends with VPNs. I have chosen though to follow his advice of avoiding the P2P model. I also shun current generation of IoT devices because of the effort required to use them safely and without contributing to the mess of rampant IoT botnets. To me the IoT cost is not worth the benefit.

  4. Fluff Up

    At least the CIA tried hide their backdoors
    I’m paranoid the Chinese are selling electronics and IoT devices cheap just so they can spy on the world easier

    1. Mario

      Not only China can spy, but anyone that knows how to exploit it. The reason those vulns exist is exactly a consequence of the low price target.

      1. Tom H.

        I totally agree! All routers these days have way too many features opening itself to further vulnerabilities. I think devices like RATtrap are a good idea. Act as a screening router with no attack surface. https://www.myrattrap.com/

  5. Erik Carlseen

    Well, it looks like 17 years of telling customers to not allow their security DVRs to connect to the Internet except via VPN is paying off. I’m far from the only person – I and many others that I know took one look at the software on these things and instantly thought “security sieve.” You can just tell by the overall quality and polish (or lack thereof). The only surprise in this story is that anyone is surprised.

    We put them in a DMZ with “Default Deny” permissions for everything; the only packets allowed in or out are the ones explicitly authorized.

    If anybody knows of some IPDVR software that isn’t a complete quality trainwreck (and by that I mean somebody took a really hard look / pen-tested it) I’m sure a lot of people would like to know about it.

  6. No_CVE

    Seems Mr Krebs, without saying it, is saying the national vulnerability databases are a farce in tracking IoT vuls by vendors. Dahua has posted a security bulletin; yet, the national vul databases don’t list the Dahau products as having a vulnerability.

      1. Darron Wyke

        The problem with that is you’re using an Ubiquiti product. They don’t exactly have a great track record.

  7. Mike

    This stuff is not safe to use. Using it will compromise your data and your security. The companies that create it are not interested in your security. There are no updates or patches that will make these things safe.

    The only way to win is to not play.

  8. Daniel Brandt

    There may be a potential problem with CloudFlare’s 2014 decision to concentrate their 391 nameservers into just two /24 blocks. I don’t know anything about IoT coding, but I do know that CloudFlare ignores anything that appears on CloudFlare Watch:
    http://www.crimeflare.com/cfnsdump.html

  9. JimV

    Short-run cheapskating in a construction, manufacturing or software code development process will almost always lead to longer-run debacles or outright disastrous consequences for the firm or firms involved (not to mention the victims) — it’s repeatedly been proven time and time and time again over human history, but until the last half-century the effects tended to be limited and rarely impacted any substantial portion of the population. Not so today.

  10. Nobby Nobbs

    Thanks again for a timely heads-up, Brian!

    I doubt the marketplace will be able to solve this one in the short run.

    Have you had a chance to look into the Raspberry Pi-based alternatives to these insecure-by-design IoT gadgets?

  11. Alan

    I installed a network of Hikvision cameras and DVRs where I work right at the time that Brian was breaking the news about Mirai, etc.

    I was impressed to see that Hikvision firmware enforced changing the default password, and even enforced some password security. They included an additional note with the documentation to make you aware of this.

    Nevertheless, I specifically set the devices in a network mask that can’t communicate with the internet gateway but can communicate with other devices on the internal network. (I use the 172.16-32 private IP address space — the gateway has a 255.255.255.0 netmask, while the network devices have 255.255.0.0 netmasks.)

    1. jdmurray

      The 172.16.0.0-172.32.255.255/12 range uses a netmask of 255.240.0.0. Keep this in mind if your network experiences any problems associated with overlapping IP address spaces.

  12. Kbarb

    >>”Enraged, Bashis decided to publish his exploit code without first notifying Dahua”

    So he’s mad at Dahua, but exposes all their vulnerable devices which actually belong to *other* people who are not actually responsible for the code ?
    Sounds more like an adolescent tantrum.
    I think Karas took a more responsible approach.

  13. El Aura

    Stupid question: How much are Bluetooth devices affected by this? In particular products like Tile that do tout their peer-to-peer networking for finding stuff outside of the range of the Tile’s owner.

  14. Drone

    Yeah, and when you put the Chinese patch on your Chinese spy-cam it just gets a new back door until someone finds how to hack that one. Damn Chinese, they’re almost as bad as the IRS!

  15. Chris

    Great article! If only more people took this seriously, especially with the prevalence of today’s yumcha cameras saturating the market. Virtual LAN all the way.

  16. sophia

    Trump’s platform emphasizes renegotiating U.S.–China relations and free trade agreements such as NAFTA and the Trans-Pacific Partnership, strongly enforcing immigration laws, and building a new wall along the U.S.–Mexico border. His other positions include pursuing energy independence while opposing climate change regulations such as the Clean Power Plan and the Paris Agreement, modernizing and expediting services for veterans, repealing and replacing the Affordable Care Act, abolishing Common Core education standards, investing in infrastructure, simplifying the tax code while reducing taxes for all economic classes, and imposing tariffs on imports by companies offshoring job

  17. Michael Martin

    The fact that many IOT video cameras have flaws security wise does not make me feel any more safe. I will make sure to get my firmware updates done. With that being said are there any safe Video Cameras that can be used? Is the best thing to do is not have them connected to the internet or LAN.

  18. vb

    I can attest that using back doors for internal testing is part of the software development culture for IoT devices. After having worked with a Hong Kong based Internet device manufacturer, I saw that every device had hocus pocus to get into a developer mode.

    That back door code never got pulled out of the production branches. The developers were still debugging long after the products started shipping, and the next product, using the same code base, was prototyped.

  19. jerry

    Dahua take steps to deal with this trouble and rework dahua’warehouse products and lengthen date of delivery.
    news from http://www.cctv-mall.com dahua camera and NVR

  20. Felix Uribe

    Issues like this can be looked at BEFORE manufacturers decide to just let users figure any security issues AFTER installation!.

    The exponential growth of IoT devices and their everyday applications calls for their classification in order to address today’s security and privacy concerns affecting the trustworthiness of the world’s current IoT domain. My proposed classification do just that! Please read the paper at https://uribe100.com/index.php?option=com_content&view=article&id=147:internet-of-things-iot

Comments are closed.