Many Dahua IoT-based DVR devices can be hijacked by exploiting a five-year-old firmware-based vulnerability, exposing passwords.
Security researchers at NewSky Security have discovered that IoT search engine ZoomEye cached tens of thousands of passwords for Dahua DVR devices. The search engine displays the passwords in clear text, free for the taking, making it easy for even the most unskilled cybercriminal to hack into devices.
This vulnerability isn’t new. In fact, the company has known about it for five years yet taken zero steps to address it. The hacker behind the Brickerbot IoT malware used this weakness, and it appears that ZoomEye has also exploited it. Meanwhile, Dahua continues to sell its woefully insecure devices.
“One does not even need to connect to the Dahua devices to get the credentials. There should be strict regulations for devices to have an update feature, which can be used to automatically push patches to the firmware as soon as the device is connected to the internet,” NewSky Security principle researcher Ankit Anubhav says.
“As long as an IoT device has a strong password and is updated, it should take care of the bulk of the problem. Zero days will still pop up, but most IoT attackers use known passwords/exploits to hack, and they will fail in their attempts.”
Consumers Must Protect Themselves
The Register sent emails to ZoomEye’s administrators asking whether the company planned to address the issue and stop password caching. Emails went ignored. China-located Dahua also ignored inquiries about whether it will push automatic security updates to address the vulnerabilities.
Currently, no one wants to take responsibility for fixing the issues. Right now, it’s up to users. We recommend replacing a Dahua DVR with a more secure model.