Insecure Dahua DVR
News | 07/19/2018

Dahua Devices passwords Cached in ZoomEye: An IoT Search Engine

About: Dahua devices susceptible to cyber attacks as login passwords of thousands of Dahua devices is cached in ZoomEye, an IOT search engine responsible for discovering Internet-connected devices. Thus anyone holding an account with Zoomeye could scrape t...  Read More  

| News | Dahua Devices passwords Cached in ZoomEye: An IoT Search Engine

Dahua Technology, an infamous firm established in 2001 is a prodigious provider of video surveillance products and services. This includes Security cameras, Network cameras, DVRs etc.

Vulnerability in Dahua devices with ancient firmware

Way back in 2013, a vulnerability CVE-2013-6117 was discovered in Dahua’s security DVR Appliances by Depth Security researcher Jake Reynolds. The vulnerable firmware versions include 2.608.0000.0 or 2.608.GV00.0. This is a 5 year old authentication bypass vulnerability that allows an attacker to bypass the authentication mechanism and perform unauthorized actions.

Insecure Dahua DVR

The vulnerability is exploited by initiating a raw TCP (Transfer Control Protocol) connection on a Dahua DVR on port 3777 to send a special payload.

Once this payload is received on a Dahua device, DDNS(Dynamic Domain Name System) credentials are received that enables the attacker to access the device, and other data, all in plaintext.

Insecure Dahua DVR – ZoomEye holding Passwords of Dahua Devices

However, recently a new low was discovered to ease the hack of IoT (Internet of Things) devices by NewSky Security. NewSky Security is a cyber Security Company specialized in solving IoT threats.

This new ease of hacking technique is carried out via ZoomEye– an IoT search engine designed to find Internet connected devices and vulnerabilities. ZoomEye caches login credentials of thousands of internet devices. Hence, attackers now no longer have to connect to insecure Dahua DVR to obtain the credentials. All they need to do is to create a free account with ZoomEye and scrape the cache to get the credentials.

According to NewSky Security researchers, this trick was learnt when Janitor, the author of BrickerBot IoT malware published a post. BrickerBot, as you would recall, is a botnet discovered last year that permanently bricked poorly secured IoT devices in an attempt to disable them before they could be added to Mirai or other IoT botnets.

Brickerbot author also claims to have used the vulnerability CVE-2013-6117 to hijack and disable Dahua DVR’s in the past.

A worrisome number of 30,000 vulnerable devices have been unearthed whose credentials were stored in Zoomeye’s cache and have already been abused by BrickerBot author.

Furthermore, users too are to be blamed for securing their devices with shoddy passwords and making it easier for hackers to crack it and hence exploit the device. For instance, with just three search attempts on Zoomeye, 30,000 vulnerable Dahua devices could be identified.

Approximately:

  1. Over 14000 Dahua devices were secured with the password ‘123456’
  2. Over 15800 Dahua devices were secured with the password ‘admin’
  3. Over 600 Dahua devices were secured with the password ‘password’

Solution to the problem

  1. Users are advised to update insecure Dahua DVR credentials with strong passwords that is difficult to crack.
  2. Avoid using older vulnerable versions of the device when there are sites like ZoomEye caching credentials and making hacking of IoT devices easier.
  3. If you are unaware of the firmware running on the Dahua device, you are advised to find the model number and enter the same in firmware search tool. Alternatively you can use the DVR firmware toolkit that can be downloaded from the same page.

Hits: 117

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Jaipur
Rajasthan 302033
Phone: +91 9799661866