A California firm is rushing to patch a backdoor that apparently exists in a host of DVRs, CCTV and IP cameras it manufactures.
Engineers with Dahua Technology USA began pushing firmware updates for the issue on Monday, something the company says stems from “a small piece of code.” The company said its security team is continuing to investigate other models it produces and will provide updates for any affected devices as they arise.
An independent researcher, Bashis, discovered the backdoor over the weekend and on Monday posted proof of concept code to automate an attack to the Full Disclosure mailing list.
“I’m speechless, and almost don’t know what I should write… I (hardly) can’t believe what I have just found,” Bashis wrote, “I have just discovered (to what I strongly believe is backdoor) in Dahua DVR/NVR/IPC and possible all their clones.”
Bashis removed the proof of concept at Dahua’s behest, but said he’d repost it in 30 days, on April 5, after the company has had time to patch the issue.
The researcher, who has disclosed two other bugs, a critical heap overflow in QNAP NAS devices and a remote format string in Axis Communications devices, in the last year, said it’s his personal policy to share disclosures before notifying vendors.
“I simply don’t want to listen on their poor excuses, their tryings to keep me silent for informing the community,” Bashis wrote.
The backdoor, which Dahua refers to as a vulnerability, exists in a slew of high definition composite video interface (HDCVI) cameras, IP cameras, and DVRs made by the company.
In a letter (.PDF) to customers and partners on Monday, the company said that its security team “isolated a small piece of code” that triggered the vulnerability and that it’s in the middle of developing a series of firmware patches for the issue. In the letter, Dahua downplays the backdoor and stresses that it wasn’t the result of a malicious attack on a specific installation. Instead the company claims it came to light as Bashis was “conducting independent testing of various suppliers’ surveillance products.”
The backdoor allows remote unauthorized admin access via the web the researcher claims. If an attacker had access to a special URL, they could easily delete, add, or change the name of the admin user, or change the password for the user. Bashis claims an attacker could remotely download a configuration file, essentially a user database that contains “all credentials and permissions,” choose an admin user, copy the login name and password hash and use it to remotely login to a Dahua device.
“This is like a damn Hollywood hack, click on one button and you are in…” Bashis wrote.
It’s unclear exactly how many products are impacted by the backdoor; the company said a “number” of its devices are affected on Monday. So far Dahua has pushed firmware updates for 11 affected models – three DVRs and eight IP cameras – but it’s likely more will surface over the next month.
If the backdoor is as easy to exploit as the researcher claims, it could makes the products a juicy target for botnets built on the Mirai malware.
Mirai, which targets devices, such as IP-based cameras and DVRs with poorly secured configurations, has been used to take down a number of sites and services in the last several months. A number of variants have emerged since the malware’s source code was published last October. Last month a Kaspersky Lab report confirmed that one variant, with the capability to spread to Linux machines was being circulated by a Windows-based botnet.
Dahua’s devices were singled out last summer in a Level 3 Communications/Flashpoint report about the BASHLITE family of IOT malware. According to the report, published at the end of August, DVRs manufactured by the Irvine, Calif.-based company were the most commonly infected devices. Level 3’s Chief Security Officer said Dahua was preparing a patch for the malware.