Unpatched Dahua cameras are vulnerable to unauthenticated remote access

Unpatched Dahua cameras are prone to two authentication bypass vulnerabilities, and a proof-of-concept exploit released today makes the case for the pressing upgrade.

Authentication bypass flaws are tracked as CVE-2021-33044 and CVE-2021-33045, and both are remotely exploitable during the login process by sending specially crafted data packets to the target device.

For more details on how it works, you can check out the Proof of Concept (PoC) that was part of today’s Full Disclosure, which was posted on GitHub.

It comes a month after Dahua’s security advisory urging owners of vulnerable models to upgrade their firmware, but given the neglect of these devices after their initial installation and configuration, it’s likely that a lot of between them still use an old and vulnerable version.

The list of affected models is long and covers many Dahua cameras, even some thermal ones. We searched Shodan and found over 1.2 million Dahua systems around the world.

Dahua cameras online worldwide
Dahua cameras online worldwide. Source: Shodan

It is important to clarify that not all of these devices are vulnerable to exploitation, but the list of affected models contains a few widely deployed.

A forbidden security puzzle

Dahua Technology is prohibited from doing business and selling products in the United States, as the Chinese surveillance camera supplier was added to the US Department of Commerce’s “entity list” in October 2019.

However, there are still tens of thousands of actively used Dahua cameras in the country, and some of them may not be so obvious. As a recent report from The Intercept details, many cameras sold in the United States under an American (like Honeywell) or Canadian brand actually use Dahua hardware and even software.

How to protect your device

Besides upgrading your Dahua camera to the latest firmware version available for your model, you also need to change the password it comes with to something unique and strong. Leaving the root access credentials to “admin” – “admin” is a safe way to expose your video streams sooner or later.

Additionally, enable WPA2 encryption if the camera is wireless and set up a separate and isolated network for your IoTs if possible.

Note that if your model is cloud compatible, you can automatically grab the patch upgrade from the control interface, instead of visiting the Dahua download center.

The discovery of the two flaws came on June 13, 2021, so some Dahua cameras remained vulnerable to unauthenticated access for at least 2.5 months, even for owners who applied the firmware update as soon as it was released. .

Leave a Comment

Trending this Week