Categories

Newsletter

  • Hackers Globally Attacking Dahua Recorders


     

    Dahua recorders are being hacked and vandalized around the world, as confirmed by dozens of reports to IPVM since the attacks surged 5 days ago.

    Key points:

    - If you have Dahua recorders and you port forwarded it (as they unfortunately recommend), check your recorders immediately for impact.

    - Disable port forwarding immediately and block public access to these recorders.

    - Try to upgrade firmware, if possible for your units, though Dahua regularly had challenges distributing firmware for various models and partners.

    - If you have one of the many Dahua OEM recorders (e.g., ADT who we have confirmed multiple reports), disable port forwarding and contact your manufacturer.

    - Dahua has still not made any public statement, continuing a trend of poor communication.
    Inside, we share full details of the reports we have and the technical elements / vulnerabilities behind this.

     

    Hacked Overview

    Based on screen caps and log files submitted to IPVM and posted in public forums, hacked systems will show black images from the camera and display "HACKED 1, HACKED 2, etc." on each camera feed:

     

     

    The video will be black, as the hacker changes the exposure to effectively hide / block out the video feeds, as shown again below:

     

     

     

     

     

     

     

     

     

     

     

     

    And below is a log file sample from CCTV Forum that shows some of the changes made:

     

     

     

    Victims Seeking Help

    Dahua has not issued any statements on these hacks, their most recent US cyber security update is July 2017. Search traffic to IPVM for terms relating to 'Dahua hack' show a ~500% surge above average for the past we:

     

     

     

     

     

     

     

     

     

     

     

     

    Dahua USA has indicated that a special cyber security hotline is being established to field calls related to this hack. Once we receive more information, we will share.

     

    Sample Reports

    IPVM has received numerous reports and cataloged other reports across the Internet including:

    I have over 60 dvr that are old and new that are less than 6 months old both branded and unbranded have been severely hacked. Phone has been ringing off the hook. Dahua keeps sending me a year old firmware.

    They hackers turned off the camera feed to the four channels and locked out access to turn them back on. There were changes made to color setting, general network, and channel name.

    I had a client reach out to me at around 0900 eastern this morning to tell me two of four sites DVR's were sitting with a black 4 pane screen and where the cam info usually sits, it said "hacked." By 2100 eastern time the other two sites went down with the same issue.

    Tonight a family member called me and told me their Dahua DVR was showing "hacked" as all the camera titles. I went over to their house and looked at it, and indeed it had been hacked. About an hour later I get a text from an old co-worker... his DVR also showed hacked, also a Dahua. The unit was logged into, some data was changed that caused the screen to go black, and the camera names were changed to Hacked 1, Hacked 2, Hacked 3 and Hacked 4. My main admin account had the password changed, not sure about the secondary.

    My cameras say they are "Hacked." I called Dahua in California and they refused to offer any explanation or assistance other than pointing me to their cyber security PDF bulletins online which were of no help to my situation. They simply refused to talk to me other than to say read the bulletins and that's all they were going to say.

    An Italian distributor posted about massive problem from the Dahua hacks:

    In the last few days, news of a huge hacker attack on the Italian network has blocked nearly 6,000 Dahua recording apps, only from our channel, over 800 calls between September 19 and 21, regarding Dahua Hackerati recorders. [emphasis IPVM]

    And a Greek Dahua partner posted a LinkedIn item:

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    He later deleted the item

    And this Facebook item cited several national chains impacted with Dahua responding that the person was lying:

     

     

     

     

     

     

     

     

     

     

     

     

    A key clue to the hacks came from a person who emailed IPVM:

    I stopped by one of our old customers today to look at his DVR, looks like the local only account 888888 was accessed via the internet.

     

    The 888888 Account

    Dahua recorders ship with a special '888888' account which is only supposed to work locally. However, according to security researcher bashis, the validation to determine if the client is local to the recorder is done by the client and not the recorder. This means that a malicious client could be formed to use the 888888 account, and tell the recorder it is local, even if it is logging in from a remote network.

    We believe that this '888888' exploit has been fixed in newer Dahua firmwares but Dahua is poor at communicating what is changed, when it is was changed and for what models it has been changed.

    These attacks are likely bashed on the bashis discovered backdoor from March 2017 where this vulnerability is cited:

     

     









    Technical Analysis

    Presence of the Dahua special '888888' account, and internet access to port 37777, are the two factors impacted systems reported to IPVM have had in common. Users with non-default admin passwords have reported hacks to their systems. In a number of cases, users were running latest available firmware, particularly in the case of OEM models.

    Based on the number and geographic diversity of systems reported as attacked, this looks to be an automated attack, with victims picked at random from Shodan or similar scans. The attack adjusts settings on connected cameras to make the image black, but does not touch recorded video, or lock the user out of the system. This makes the attacks similar to Brickerbot in nature, attempting to call attention to the devices poor security, not render it inoperable or enroll it in a botnet.

     

    Dahua Many Vulnerabilities

    Dahua has had a number of reported vulnerabilities in products. Dahua cameras and recorders fueled the Mirai botnet in 2016, leading to some of the largest DDoS attacks on victims ever (Dahua also claimed themselves as a victim of Mirai).

    This was followed up by bashis' Dahua backdoor discovery in March 2017. This also impacted key partners, such as FLIR, forcing them to deal with Dahua's poor security implementation. A Dahua buffer overflow vulnerability was discovered in July 2017, though no known exploits of this have been seen (yet). Multiple vulnerabilities have also been found in Dahua's DHI-HCVR7216A-S3 recorder, including cleartext passwords, auto-admin login allows data sniffing, admin password bypass, unencrypted communications allows man-in-the-middle attack.

    26/09/2017 18:09:07