Sometimes security can be messy
Sometimes security can be messy

A Chinese CCTV camera company has been forced to issue patches to its products after being accused of leaving backdoors in several its products.

The firm, Dahua, has pushed the patch out to eleven of its products, including DVRs, network video recorders (NVRs) and IP CCTV cameras.

“We were recently made aware of a cyber-security vulnerability that affects certain Dahua recorders and IP cameras. It's important to note that the vulnerability is not the result of a malicious attack on any specific installation where our products are deployed; it was discovered by [independent researcher] Bashis conducting independent testing of various suppliers' surveillance products,” said a statement on its website.

The researcher that unearthed the flaw, “Bashis”, detailed the backdoor to the Full Disclosure mailing list. The hidden URL, accessible to the internet, could allow a hacker to remotely download the full user database with all credentials and permissions, choose an admin user, copy the login names and password hashes and use them as source to remotely log in to the Dahua devices.

“This is like a damn Hollywood hack, click on one button and you are in,” said Bashis. The researcher had originally posted a proof-of-concept of the flaw but later removed it at the request of Dahua.

Bashis is convinced that the vulnerability was a backdoor, deliberately left in the product. “I have my own policy to NOT notify the vendor before the community. (I simply don't want to listen on their poor excuses, their tryings [sic] to keep me silent for informing the community),” he said.

Andrew Tierney, security consultant at Pen Test Partners, told SC Media UK that there seems to be a trend to call everything a backdoor at the moment, especially when they are trivially exploitable vulnerabilities.

“There has to be intent by the manufacturer, and there are no signs that this is the case. They look very much like normal vulnerabilities,” he said.

“The first issue is that you can download hashed passwords via an unauthenticated web request. That is bad in itself, but you would still need to perform a brute-force attack to get the password. The second issue is that the device performs client-side password hashing in JavaScript, in the user's browser. Essentially, the device accepts the hashed password as the password.”

Tierney added that when the two are put together “you get a serious vulnerability.”

He added that the first part – the hashes available unauthenticated – “looks like an honest vulnerability”.

“The hashes are stored in an insecure way. We see this quite a lot on embedded systems,” said Tierney. “The second part is a design failure. I've seen client-side hashing done so much that I have written about it in the past.”

David Kennerley, director of threat research at Webroot, told SC that there is always more that organisations can do to at least mitigate some of the risk.

“Deciding whether devices like security cameras actually need to be internet facing in the first place is a good place to start,” he said.

“If it is necessary, organisations should install devices behind a corporate firewall, lock down access on IP addresses and consider only using remote VPN access.  Monitoring of external connections and traffic goes without saying. These mitigation methods not only decrease the risks highlighted in this case, but will also help protect devices against other threats like the Mirai botnet.”

Cesare Garlati, chief security strategist at the prpl Foundation, told SC that by using open source, forging a root of trust in hardware and security by separation using hardware virtualisation, “manufacturers of IoT devices will be able to ensure they are secure and stop devices like the Chinese surveillance cameras being hacked”.

“Interoperable, open standards are the key requirement for developers in order to improve IoT security even in the smallest of connected devices,” he said.