Multiple DVR and IP camera models from Dahua, a Chinese maker of surveillance solutions, received an emergency firmware update this week to fix a backdoor allowing remote access to the devices.
According to a report by independent researcher Bashis, an unauthorized party could access the devices remotely and download the full user database, including credentials and permissions. Logging remotely into Dahua devices could be done using an admin username and its corresponding password hash.
Furthermore, the intruder could modify the database by deleting users, adding new ones or changing admin users and passwords.
After discovering the issue and creating a proof of concept, Bashis chose to make the disclosure public and not alert the company first, arguing that the problem was too severe to wait until a fix became available.
“Since I am convinced this is a backdoor, I have my own policy to NOT notify the vendor before the community. (I simply don’t want to listen on their poor excuses, their tryings to keep me silent for informing the community),” said Bashis in the report.
Initially, the researcher published the proof-of-concept code that automates the attack, but Dahua requested it be pulled back until the problem was solved. Bashis agreed to give the company 30 days before making the attack code public again, on April 30.
Dahua informed its customers and partners of the issue, and said its engineers and security specialists determined that the culprit was a “small piece of code.”
In a security bulletin at the beginning of the week, Dahua made available firmware updates for 11 of its products (three DVRs and eight IP cameras). Additional models are being investigated and will be updated if found vulnerable.
According to IPVM – a paid information service for video surveillance, the number of affected devices is larger. IPVM says they learned about this from partners that verified the flaw independently on models others than those that already received a firmware update.
Dahua products have been found vulnerable in the past. The most memorable incident is the Mirai botnet attack last year, which relied on a large number of IP cameras from Dahua to carry out the first massive IoT-based distributed denial of service.