Newly released patch should fix flaw that could allow hackers to take over Dahua security cameras and related equipment.
Dahua, a Chinese manufacturer of video surveillance equipment, has been forced to issue security patches for devices such as CCTV cameras and digital video recorders (DVRs), following the discovery of flaws that could allow anyone to access and control them.
A security researcher, who goes by the name of Bashis, posted exploit code on the Full Disclosure security mailing list, which takes advantage of a vulnerability in how security cameras and DVRs made by Dahua handle authentication.
These IoT devices run a small web server and that server requires a user to enter a username and password to gain access. However, the researcher found that they could force a device to give up username details as well as a hashed value of a password.
In the disclosure, Bashis said that the exploit was as simple as remotely downloading the full user database with all credentials and permissions, choosing an admin user, copying the login names and password hashes and using these to remotely log in to the Dahua devices.
Bashis was convinced that the flaw was a ‘back door’, left intentionally by the manufacturer, writing: “Since I am convinced this is a backdoor, I have my own policy to NOT notify the vendor before the community. (I simply don’t want to listen on their poor excuses, their tryings [sic] to keep me silent for informing the community).”
The disclosure has since led to Dahua publishing an advisory on the matter, identifying several devices with the vulnerability and urging users to download and install the newest firmware updates as soon as possible.
However, according to a post on the ‘Krebs on Security’ blog, the exploit code that Bashis originally published and then took down has already been copied in several other places online, meaning that hackers may potentially still have access to this code and use it to attack unpatched IoT devices.
Travis Smith, senior security research engineer at IT security company Tripwire, told Internet of Business that building security into a product that takes time and money.
“For device manufacturers, the primary drivers are time-to-market and keeping the cost low. This creates a difficult environment to create a product which can withstand the watchful eye of white and black hat hackers,” he said.
“The advice still stands; don’t connect any device to the internet unless it’s absolutely critical. If the device is connected to the internet, install updates as soon as possible and keep it on a segmented network, such as a guest wireless network. Should a device become compromised, this will reduce your exposure and limit what a potential hacker has access to.”