Last month, Positive Technologies, a provider of enterprise vulnerability, compliance management and threat analysis solutions, announced that one of its researchers, Ilya Smith, had helped discover and subsequently fix a critical vulnerability in the firmware of Dahua IP cameras. According to a statement issued by the company, the vulnerability would have essentially allowed hackers to gain complete control over the impacted cameras.
"This vulnerability allows any actions with the camera via software: intercept and modify video traffic, add a device into botnet to conduct a DDoS attack like Mirai, and much more,” said Smith.
Given the significant concerns of both end-users and systems integrators regarding the cybersecurity of today’s video surveillance solutions, Dahua has attempted to take a proactive approach to addressing vulnerabilities in its products. On the heels of patching a previous flaw that was discovered in their cameras and DVRs back in March of this year, Dahua at ASIS 2017 announced that they would be implementing a new cybersecurity initiative which would include a range of activities designed to improve the security of video surveillance products themselves, as well as the security of broader processes, including installation, deployment, and ongoing maintenance.
For example, one initiative focuses on authentication for administrative access. As a result, default accounts are no longer included in new devices, with changes implemented in the installation, admin access, and ongoing management processes. Other initiatives resulted in similar broad impacts, including better management of identities, session security, data security, and more.
Speaking on behalf of Dahua’s cybersecurity team, Janet Fenner, the company’s director of business development, recently addressed some of the concerns surrounding this most recently discovered vulnerability and the steps they are taking to mitigate future threats in an interview with SecurityInfoWatch.com (SIW).
SIW: How was this vulnerability initially discovered and how did you work with Positive Technologies to address it?
Fenner: This vulnerability was first reported to Dahua by a researcher, Ilya Smith, at Positive Technologies. The Dahua Cybersecurity Center (DHCC) responded immediately and followed the established process to engage the relevant engineering team to analyze the report and validate the vulnerability. The team interacted with Smith who helped to confirm the finding and validate the software fix.
SIW: What kinds of things could malicious actors who find this flaw do inside a user’s surveillance system?
Fenner: It could be exploited to trigger null pointer error or buffer overflow, which will result in denial of service on the IP camera with this vulnerability.
SIW: Do you have a list of the vulnerable products that end-users and integrators can use to check and see if their installations are vulnerable?
Fenner: Yes, the list of affected products was published in our security notice on the Dahua website.
SIW: What do end-users and/or integrators need to do address this vulnerability once they find they might be at risk?
Fenner: Dahua has released the software fix, which can be downloaded from our website and is also available through our dealers and distributors. Customers can upgrade the device firmware to fix this vulnerability. They can also contact Dahua technical support or their local distributor for assistance.
SIW: Do you have any evidence that this vulnerability has already been exploited in any way by hackers?
Fenner: No, we have not received any report from customers or dealers so far.
SIW: Is this vulnerability related to the one that was patched earlier this year in March?
Fenner: No, they are not related.
SIW: What would you say to your end-user and dealer partners who still have cybersecurity concerns about your products? Where can they turn to for help if they have further questions?
Fenner: We are taking cybersecurity seriously and putting in significant resources. Dahua is committed to ensuring the cybersecurity of our related products and solutions. We are also getting support from experts in this field. Dahua is taking a proactive approach of consulting with esteemed authoritative partners such as Synopsys Technology and DBAPP Security to learn from the experience of other industries to speed up our maturity.
Additionally, we are taking action to improve support to customers in terms of security vulnerability reporting, announcements/notices and cybersecurity knowledge sharing. Customers can reach local Dahua technical support teams and/or the DHCC for support at [email protected].
SIW: What will you be doing moving forward to ensure that these types of vulnerabilities are remedied?
Fenner: First, Dahua has established and implemented a mandatory cybersecurity standard for all the newly released firmware. Vigorous testing and validation is in place to make sure all newly released firmware meets this mandatory standard.
Second, the DHCC has been established to identify vulnerabilities, engage the engineering team to develop a fix, distribute the fix, communicate to customers, and provide support. It consists of security vulnerability reporting, announcements/notices and cybersecurity knowledge sharing with our global customer base. All reported vulnerabilities will be reviewed and validated. This process has been established to engage the engineering team to analyze the scope of impact and develop software fixes quickly.
Third, part of DHCC’s role is to engage with the researcher community to identify vulnerabilities early and build best practices to improve our process.
About the Author:
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].
