Dahua DVR Authentication Bypass Vulnerability Puts Thousands of DVRs Accessible

As people turn away from physical home guards, security officers, and guard animals to digital video recording (DVR) closed circuit television (CCTV) security cameras, hackers have found a vulnerability in older technologies that allow breach of access to installed home surveillance device accounts which can put owners at risk. Dahua is a premier security and surveillance technology firm that provides up to date secure solutions to replace outdated modules utilizing pre-existing connections and cabling. It seems, though, that there is a vulnerability that has been known since 2013 in Dahua’s security imaging DVR devices, to which an update was sent out for upgrade of security, but as many users have not availed the free upgrade, thousands of devices have had their access credentials stolen and are now red labeled at risk.

The exploit was researched and written upon in depth before being presented to the public. The report CVE-2013-6117, discovered and detailed by Jake Reynolds explains that the exploit begins with a hacker starting a transmission control protocol with the Dahua device on port 37777 for payload. To this request, the device then automatically sends out its dynamic domain name system credentials which the hacker can then use to remotely access the device, tamper with its stored contents, as well as manipulate its configurations. Ever since the vulnerability was reported, update requests were sent out but as many users chose to forego the upgrades, their credentials have been stolen and are now available on ZoomEye, a search engine that keeps record of information obtained from various devices and online websites.

ZoomEye Cyberspace Search Engine. ICS ZoomEye

Dahua DVR devices operate over the TCP 37777 port through which they use a simple binary protocol to access the DVR’s camera system from a remote on-net location. At no point in this process is sufficient credential authentication required, as is expected with one-off binary procedures. It is a direct connection to the port of the device and allows for access to current streams of footage as well as previously recorded footage which can be managed and wiped remotely. ActiveX, PSS, iDMSS and the like allow the hacker to bypass the bare minimum login page provided as well, which then allows the hacker to send in unauthorized requests that can do everything from wipe the DVR to change the access credentials. In another scenario, a hacker can access the TCP 37777 port to gauge the firmware and serial number of the DVR in use. Exploiting the one-off binary protocols in the following, s/he could obtain email, DDNS, and FTP information stored on the device. This information can be used to follow through the login page of the DVR remote access web portal and then the hacker can access the streams and footage of interest. This is if the hacker doesn’t outsmart the process and bypass the login page entirely as pointed out earlier.

Remote Web Login Page. Depth Security

Looking into the records of ZoomEye, it is clear that this vulnerability has been exploited to access hundreds of thousands of DVRs and retrieve their access credentials for remote viewing through the product’s web portal. Logs of thousands of passwords are stored in plain access on ZoomEye and a simple search of the passwords or usernames can return unbelievable numbers of hits. Searching through the compiled data, it isn’t comforting to see that some 14,000 people choose to keep their password as “password” but that isn’t the direct matter of concern with this vulnerability. Dahua did release an update that adds further levels of security to prevent unauthorized access of the camera’s footage but despite that, remote access keeps the whole process a little fishy as there is no time and place restriction to the access and just as well as the owner can tap into his or her cameras from afar, a hacker that manages to steal the login credentials can too. As explained above, stealing those isn’t too difficult to do when all of Dahua’s devices operate on uniform ports and connections.

Aaron Michael
Aaron Micheal is an electrical engineer by profession and a hard-core gamer by passion. His exceptional experience with computer hardware and profound knowledge in gaming makes him a very competent writer. What makes him unique is his growing interest in the state of the art technologies that motivates him to learn, adopt, and integrate latest techniques into his work.