Insecure Dahua DVRs Expose Passwords to IoT Search Engine

The proliferation of hackable IoT devices whose manufacturers often don’t consider security a priority, as well as the rise of “IoT search engines” such as ZoomEye, has made it significantly easier for malicious attackers to exploit millions of such devices.

A recent report by Ankit Anubhav, Principal Researcher at NewSky Security, revealed that ZoomEye was caching the login passwords it had been capturing from non-secure Dahua Digital Video Recorders (DVRs) that it scanned and indexed.

Unpatched DVRs

The flaw in the Dahua DVRs that made it so easy for anyone, including ZoomEye, to scan and capture their passwords was first identified five years ago. At the time, Dahua’s system still relied on the oft-maligned ActiveX plugins and Internet Explorer, so as you can imagine, it wasn’t too difficult for attackers to exploit it.

Dahua has since patched the flaw, but, like most IoT devices, Dahua’s DVRs lacked an automatic update system that could apply the patch for everyone. An automatic update system is all the more useful for devices where almost no one is interested in updating the software, or at least in doing so often. DVRs and IP cameras are a good example of such a product. Yet even today many such devices lack automatic updates.

Because of this feature omission, now thousands of unpatched Dahua DVRs continue to be vulnerable to attackers who can steal their passwords and gain access to Dahua customers’ real-time video surveillance feeds.

ZoomEye’s Password Caching

Although Dahua and its customers are ultimately responsible for the security of their devices, the IoT search engine ZoomEye hasn't exactly made the situation any better. ZoomEye’s caching of over 30,000 Dahua DVRs passwords, of which most are “admin” or “123456,” has made it trivial not just for botnets to take over these devices, but also for others to destroy the non-secure devices.

BrickerBot is a type of malware whose purpose is to "brick," or render inoperable, non-secure IoT devices. It was part of the authors’ “Internet Chemotherapy” project, meant to clean the internet of non-secure devices. BrickerBot is now among the IoT malware targeting Dahua DVRs, too.

If you own a Dahua DVR and don’t want your device bricked or worse, you may want to follow Dahua’s advice to update your firmware and change your password to a stronger version.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • drtweak
    21146734 said:
    "Dahua’s DVRs lacked an automatic update system that could apply the patch for everyone"

    No longer true with their new DVR's released in the past few months. They now have auto updating Firmware.

  • dark__mog
    Old news guys...