Many Dahua IoT-based DVR devices can be hijacked by exploiting a five-year-old firmware-based vulnerability, exposing passwords.
Security researchers at NewSky Security announced the discovery that IoT search engine ZoomEye is cache tens of thousands of passwords for Dahua DVR devices. The passwords are published in clear text, free for the taking for any hacker, making it easy for even the most unskilled to hack into the devices.
The Dahua devices are easily hijacked using a 5-year old vulnerability. The company has taken no steps to address the vulnerability and still sells the insecure devices. The vulnerability is the same one used by the hacker behind the Brickerbot IoT malware. The researchers said it appears ZoomEye is also exploiting the vulnerability.
“A new low has been achieved in the ease of hacking IoT devices,” said Ankit Anubhav, principal researcher at NewSky Security. “One does not even need to connect to the Dahua devices to get the credentials. There should be strict regulations for devices to have an update feature, which can be used to automatically push patches to the firmware as soon as the device is connected to the internet,” Anubhav told The Register. “As long as an IoT device has a strong password and is updated, it should take care of the bulk of the problem. Zero days will still pop up, but most IoT attackers use known passwords/exploits to hack, and they will fail in their attempts.”
ZoomEye’s administrators ignored emails from The Register asking if they planned to address the issue and stop caching passwords. Dahua, which is located in China, also ignored the publication’s inquiries as to whether they intend to start pushing automatic security updates to address the vulnerabilities. So in essence, no one wants to take responsibility for or fix the security issues. That means it’s up to users. If you have a Dahua DVR, it may be best to replace it with a more secure model.