Dahua, a Chinese manufacturer of DVRs and Smart Cameras, has security problems. In fact, on the Dark Web, the company is commonly referenced as building products that are particularly easy to hack, and as such, hackers gravitate to them. In practice, what this means is that Dahua devices make up a disproportionate share of most of the botnets in operation today. In fact, the recent attack on Dyn, which brought down the internet for much of the Eastern United States, was made up of an army of devices that included a huge number of Dahua smart products.
How easy is it to hack these devices?
According to a security researcher going by the name of Bashis, it’s almost laughably easy. The manufacturer stores configuration information for all their products on a web server. Downloading the file is as simple as getting the IP address of the smart device in question.
The hacker simply types the URL into his browser, downloads the file and gains access to full information on all users who have access to the device. Even worse, using simple automation tools, the process can be replicated quickly and easily, enabling a single hacker to take control of a large number of devices single-handedly.
Bashis reported his findings to the company and posted proof of concept code on Github as a demonstration, but later removed the code at Dahua’s request to give the company time to release an update to their firmware.
Dahua has done so, but this vulnerability dates back at least three years. The company’s older equipment does not automatically get updates to its firmware, which means that there are hundreds of thousands, perhaps millions of smart devices that are still vulnerable and easily hackable.
Until those devices are manually updated (which is unlikely) or simply retired from service, they are, and will remain, at serious risk.