Dahua, a Chinese manufacturer of DVRs and Smart Cameras, has security problems
In fact, on the Dark Web, the company is commonly referenced as building products that are particularly easy to hack, and as such, hackers gravitate to them. In practice, what this means is that Dahua devices make up a disproportionate share of most of the botnets in operation today. In fact, the recent attack on Dyn, which brought down the internet for much of the Eastern United States, was made up of an army of devices that included a huge number of Dahua smart products.
How easy is it to hack these devices?
According to a security researcher going by the name of Bashis, it’s almost laughably easy. The manufacturer stores configuration information for all their products on a web server. Downloading the file is as simple as getting the IP address of the smart device in question.
The hacker simply types the URL into his browser, downloads the file and gains access to full information on all users who have access to the device. Even worse, using simple automation tools, the process can be replicated quickly and easily, enabling a single hacker to take control of a large number of devices single-handedly.
Bashis reported his findings to the company and posted proof of concept code on Github as a demonstration, but later removed the code at Dahua’s request to give the company time to release an update to their firmware.
Dahua has done so, but this vulnerability dates back at least three years. The company’s older equipment does not automatically get updates to its firmware, which means that there are hundreds of thousands, perhaps millions of smart devices that are still vulnerable and easily hackable.
Until those devices are manually updated (which is unlikely) or simply retired from service, they are, and will remain, at serious risk.
Additional information on the Dahua hack
For more tips on thriving with small business technology, check out the other blog posts at DWP Blogs. Thanks for reading this post. I am also available at dwpia on LinkedIn, at dwpia on Facebook,and @dwpia on Twitter.
Denis S Wilson
I am President and Principal Consultant for DWP Information Architects: specializing in IT services and support for successful, fast-growth companies in Los Angeles. And have created cost-effective information technology solutions for small business for over 20 years, specializing in cybersecurity. I am also a published author and speaker, working extensively with the SBA and its partners, and business and professional associations, providing business technology education programs.
Get the free report
"10 Hidden IT Risks That Might Threaten Your Business (Plus 1 Fast Way to Find Them)"
Please feel free to comment directly to me at denis.blog@dwpia.com.
