Unpatched Dahua cameras are prone to two authentication bypass vulnerabilities, and a proof-of-concept exploit released today makes the case for the pressing upgrade.
Authentication bypass flaws are tracked as CVE-2021-33044 and CVE-2021-33045, and both are remotely exploitable during the login process by sending specially crafted data packets to the target device.
For more details on how it works, you can check out the Proof of Concept (PoC) that was part of today’s Full Disclosure, which was posted on GitHub.
It comes a month after Dahua’s security advisory urging owners of vulnerable models to upgrade their firmware, but given the neglect of these devices after their initial installation and configuration, it’s likely that a lot of between them still use an old and vulnerable version.
The list of affected models is long and covers many Dahua cameras, even some thermal ones. We searched Shodan and found over 1.2 million Dahua systems around the world.
It is important to clarify that not all of these devices are vulnerable to exploitation, but the list of affected models contains a few widely deployed.
A forbidden security puzzle
Dahua Technology is prohibited from doing business and selling products in the United States, as the Chinese surveillance camera supplier was added to the US Department of Commerce’s “entity list” in October 2019.
However, there are still tens of thousands of actively used Dahua cameras in the country, and some of them may not be so obvious. As a recent report from The Intercept details, many cameras sold in the United States under an American (like Honeywell) or Canadian brand actually use Dahua hardware and even software.
How to protect your device
Besides upgrading your Dahua camera to the latest firmware version available for your model, you also need to change the password it comes with to something unique and strong. Leaving the root access credentials to “admin” – “admin” is a safe way to expose your video streams sooner or later.
Additionally, enable WPA2 encryption if the camera is wireless and set up a separate and isolated network for your IoTs if possible.
Note that if your model is cloud compatible, you can automatically grab the patch upgrade from the control interface, instead of visiting the Dahua download center.
The discovery of the two flaws came on June 13, 2021, so some Dahua cameras remained vulnerable to unauthenticated access for at least 2.5 months, even for owners who applied the firmware update as soon as it was released. .
- Third-party health apps are vulnerable to hacks, report says
- Apple AirTags are vulnerable to stored XSS injection attacks
- Three Unpatched iOS 15 Security Vulnerabilities Posted Online – What You Need To Know
- FreakOut botnet now attacks vulnerable video DVR devices
- Hackers began to scan for vulnerable VMware vCenter servers