Image

"I'm speechless, and almost don't know what I should write... I (hardly) can't believe what I have just found. I have just discovered (to what I strongly believe is backdoor) in Dahua DVR/NVR/IPC and possible all their clones. Since I am convinced this is a backdoor, I have my own policy to NOT notify the vendor before the community. (I simply don't want to listen on their poor excuses, their tryings to keep me silent for informing the community)"Initially Bashis published proof-of-concept code, effectively giving anybody the ability to exploit the flaw. However, at Dahua's request, he has now withdrawn his code - but said he will republish it on April 5th as an incentive for the company to patch the problem quickly. For its part, Dahua has acknowledged that 11 of its devices with the following model numbers are vulnerable and made firmware updates available for download:
- DH-IPC-HDW23A0RN-ZS
- DH-IPC-HDBW23A0RN-ZS
- DH-IPC-HDBW13A0SN
- DH-IPC-HDW13A0SN
- DH-IPC-HFW13A0SN-W
- DH-IPC-HDBW13A0SN
- DH-IPC-HDW13A0SN
- DH-IPC-HFW13A0SN-W
- DHI-HCVR51A04HE-S3
- DHI-HCVR51A08HE-S3
- DHI-HCVR58A32S-S2
Image

"Our extensive team of engineering and security specialists have been conducting exhaustive tests across our comprehensive surveillance offering and have isolated a small piece of code that caused this vulnerability."Of course, if malicious hackers were to hijack control of Dahua's devices there is always the risk that they might be commandeered into nefarious activity - such as participating in a destructive botnet. Poorly secured IoT devices are proving to be a growing scourge for the internet because of lax security and the ease with which hackers seem capable of exploiting them. What we can't tell is whether this was truly a backdoor that Dahua's engineers intentionally left in device's firmware, or whether the sensitive credentials could be accessed through a bug. Personally, I'm more inclined to believe less in conspiracies and more in cockups. So I like to believe that this was an accident. What's most important now for users of the vulnerable devices is that they get patched quickly before they are exploited by malicious attackers. Furthermore, if you have made the mistake of reusing the same password on your internet-connected DVR or IP camera as you use elsewhere on the net, now would be a very good time to learn about sensible password practices. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.