Unpatched Dahua DVRs pose security issue

July 20, 2018
Password vulnerability initially discovered in 2013 still affecting many devices

Despite numerous warnings from cybersecurity experts in recent years about the importance of patching IP-enabled physical security equipment against known vulnerabilities, it seems that message still hasn’t taken hold in some corners of the industry.

Last week, Ankit Anubhav, Principal Researcher for NewSky Security, revealed on Twitter that the login passwords for tens of thousands of Dahua DVRs have been cached and indexed by IoT search engine ZoomEye. To make matters worse, this vulnerability, CVE-2013-6117, was initially discovered in 2013 with a firmware patch subsequently issued by the company to fix it.

Although they stopped their research after discovering the extent of the vulnerability and could not really say how many had already been compromised by hackers, Scott Wu, the Co-Founder and CEO of NewSky Security – which has a number of customers with enterprise IP camera systems in the Smart Cities and Smart Buildings sectors – says that the potential impact to owners of these devices is obvious and that many of them are either already “owned” by malicious actors or at “critical risk” of being owned. In fact, Wu says he would be surprised if they are not all already compromised, considering how fast information moves in the underground economy of the internet.

“It is a vulnerability of the DVR, which responds to inquiry with the credentials in plaintext,” Wu explains. “ZoomEye, as a Shodan-like IoT search engine, stores and indexes search results, including the credentials unfortunately given via the vulnerability.”

For its part, Dahua issued a statement earlier this week calling on those who own affected devices to update them and change their passwords. “We noted that some media recently reported about CVE-2013-6117, which was fixed in 2013. We strongly recommend customers who use DVR versions before 2013 to upgrade the device and change the password. The latest firmware can be downloaded from Dahua website,” the statement reads.

Dahua also encouraged anyone with cybersecurity related questions to contact the company via email at [email protected].

Permanently Disabled

There have been some indications that an IoT security vigilante, who goes by the moniker of “The Janitor,” may have already found and “bricked” some of the vulnerable DVRs using BrickerBot malware. According to Wu, bricking – also known as a permanent denial-of-service (PDoS) attack – essentially renders affected devices useless.

“The attacks are done by a lone vigilante hacker,” Wu says. “In this case, ‘Janitor’ has an opinion that the IoT security has lot of issues – which he terms as a cancer – and the only solution is to make all poorly secured IoT devices unusable, which he calls ‘Internet Chemotherapy.’”

That’s not to say, however, that some of these and other vulnerable devices may have already been exploited by hackers for more traditional cyber schemes.

“Bricking is only the tip of iceberg,” Wu says. “Mirai got 300,000-plus IP cameras involved in an IoT botnet. We have also seen more sensitive attacks which involved ARP spoofing (a technical term, which results in replacing video to trick a security monitoring team) to monitor videos remotely and maliciously.”

The relative ease with which someone could initiate an attack against these DVRs even led NewSky to dub this as a “new low” in IoT security.

“We have often seen low-skilled attackers using weak passwords to easily hack IoT devices; however, in this case, the devices can be exploited even without connecting to (them…by obtaining) the credentials directly from ZoomEye (with) a free account,” Wu says. “The only hacking skill an attacker needs is to know how to properly use the internet to see passwords for the 30,000 devices.”

Sean Newman, Director of Product Management for Corero Network Security, says the incident also demonstrates the importance of keeping up and fixing previously reported vulnerabilities. “This highlights one of the key issues with IoT security where, even though the vendor had actually fixed the vulnerability, the owners of the devices still haven’t got around to, or been able to, upgrade them,” Newman says. “While this behavior continues, there remains no end in sight for IoT devices being acquired for various nefarious activities – including use in botnets for launching DDoS and other large-scale criminal campaigns.”

Moving forward, Wu says this vulnerability discovery should serve as a reminder to security end-users and integrators to put proper security controls in place to ensure their systems cannot be easily compromised. “Who is in control of your surveillance system, you or the hacker? Keep this in mind to adopt the right risk management and cybersecurity control,” he concludes.

About the Author:

Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].