Dahua video kit left user credentials in plain sight

Chinese security camera/DVR company Dahua is pushing firmware patches after accusations by a security researcher that a swathe of its products carried a back door.

First notified to video surveillance publication IPVM and the Full Disclosure list, the vulnerability is described as a “damn Hollywood hack, click on one button and you're in” by its discoverer.

Full Disclosure poster “bashis” writes the vulnerable devices – DVRs, network video recorders (NVRs) and IP cameras – have a “secret” URL accessible to the Internet that accesses the user database without authentication.

So the takeover is simple: download the user list, choose an admin login and password hash, and remotely log into a Dahua device exposed to the Internet.

Bashis originally published a proof-of-concept at GitHub, but at the request of the company he's taken it down until April 5 to let them push out a patch.

Dahua has pushed new firmware for eleven products, and its statement attributes the problem to a “coding issue”. This is feasible, we suppose, since developers often leave sensitive accounts open to make their job easy, and forget to lock things up later.

Bashis told IPVM he still believes it was a backdoor because the user list was unprotected and in a Web-accessible folder.

He also points out the stored password hashes are generated client-side (Javascript in the Web browser). In other words, the hashing is ineffective, because that's (not the raw password) what's sent as the login credential.

IPVM notes that Dahua was caught by the Mirai botnet last year, and in 2015, its systems were among the targets of a botnet designed not compromise, but to harden device security. ®