Passwords For Tens of Thousands of Dahua Devices Cached In IoT Search Engine

An anonymous reader writes: "Login passwords for tens of thousands of Dahua devices have been cached inside search results returned by ZoomEye, a search engine for discovering Internet-connected devices (also called an IoT search engine)," reports Bleeping Computer. A security researcher has recently discovered that instead of just indexing IoT devices, ZoomEye is also sending an exploitation package to devices and caching the results, which also include cleartext DDNS passwords that allow an attacker remote access to these devices. Searching for the devices is trivial and simple queries can unearth tens of thousands of vulnerable Dahua DVRs. According to the security researcher who spotted these devices, the trick has been used in the past year by the author of the BrickerBot IoT malware, the one who was on a crusade last year, bricking unsecured devices in an attempt to have them go offline instead of being added to IoT botnets.

Chinese crap

Please stop buying this nonsense.

Re:Chinese crap

+1

I will *NEVER* under the idea of buying a product intended for security (cameras, door locks, vehicle alarms, etc)., and them placing them onto the internet?

Philosophically, this seems very self-defeating and backward.

Re:Chinese crap

You're not a millennial. You wouldn't understand.

The rest of us want Facebook integration with our door locks and bank deposit boxes.

Re:Chinese crap

how about some BVDs that know when you're gonna take a shit before you do, and alerts you on your phone of your pending porcelain date, which also tells you if you should grab another roll of TP on your way to the can. after, your toilet will analyze your pee and poo, set up a doctor's appointment if needed, and notify all your recent sexual partners if anything contagious is detected. all while posting constant status updates on facebook so your mum doesn't worry too much.

Re:Chinese crap

[arglebargle_xiv]

Dahua actually make pretty top-shelf gear. They also OEM for half the high-end video camera systems out there, so the "Made in USA" system you'll end up buying in place of your "Chinese crap" at five times the price could well be a Dahua under the hood. Or, more likely something far worse than Dahua.

In addition:

The vulnerability has been known since 2013 and has been since patched, but many Dahua device owners have failed to update their equipment, and even to this day have continued to deploy DVRs running the antiquated firmware online.

While technically correct, this is rather misleading. Dahua don't sell to or deal with end users, so the device owners have nothing to do with the problem, it'll either have been set up by a Dahua-approved vendor or be under a completely different name as an OEM, one who lasted update their firmware in 2010.

Re:Chinese crap

[arglebargle_xiv]

Argh, posted too early: Dahua is the second largest manufacturer of security cameras in the world (top is Hikvision). That's what I meant when I said your expensive "Made in USA" system will most likely be "Chinese crap" (as you put it, not me) under the hood.

Re:Chinese crap

[gweihir]

You mean one should buy Cisco instead with minimally more sophisticated backdoors?

But I admit, I do not have a good solution for most people. Personally, I use a Linux box as a router, and people with some technical skills may use something with pfSense, but ordinary users are pretty much screwed at this time.

Re:Chinese crap

[denzacar]

They also OEM for half the high-end video camera systems out there, so the "Made in USA" system you'll end up buying in place of your "Chinese crap" at five times the price could well be a Dahua under the hood.

No wonder they do that, with a name that I keep reading as Dachau.

Or, more likely something far worse than Dahua.

What? Like making a holographic projector and branding it Holocast?

Re:Chinese crap

I have webcams exposed so I can remote into them (basic security which isn't much). Granted, I don't care if someone is watching me. But, I do care that I can see what is going on when I'm not there (when I get alerts). Some security, some checking up on critters, some geekiness. I haven't found an app to simply use a VPN to do this, otherwise I'd do it that way.

I know you said you would never understand, but I was hoping to answer you in a way that helps you.

internet cameras and security?

never ever put a camera directly on the internet. if you can access a camera directly through the camera's web interface then so can anyone!

Re:internet cameras and security?

[olsmeister]

If they want to watch the deer come into the back yard and eat apples that have fallen onto the ground, they are welcome to.

Re: internet cameras and security?

But what if the deer wants some privacy. Its bad enough your watching them. Must the whole world watch too. ;-)

Re: internet cameras and security?

[olsmeister]

Well, by deer, I mean neighbors. And by eat apples, I mean have sex.

Re: internet cameras and security?

Your neighbors have sex with deer and then eat apples?

Dayumn. Bye bye miss American pie, right?

Re: internet cameras and security?

Your neighbors have sex with deer and then eat apples?

Dayumn. Bye bye miss American pie, right?

Well if that is what is happening, why the heck would you let people watch for free? People will pay for that kind of stuff...

Well, Trump's going to Federal Prison

Insane would be an improvement for our barely-legal traitor POTUS.... I hear the mental health care in Federal Prison is extremely lacking. Sad!

Re: Musk

You're just jealous that Mr Musk is smarter, better looking, richer, more successful with women, and an all-around better human being than you.

Either that, or you're another one of David Brock's "nerd virgins" astroturfing Slashdot for pay.

https://www.motherjones.com/politics/2014/09/david-brock-hillary-clinton-correct-the-record/

Re:Musk

[ArchieBunker]

People were always on his dick like a cult leader. Can't wait to see how his followers spin this. Oh and are these the dirt cheap DVRs like Harbor Freight sells?

Re: Musk

Funny you should mention women. His ex who is in Westworld is hot as fuck.

IoT Security

[dc29A]

Remember, the 'S' in IoT is for 'Security'.

Re:IoT Security

[ChromeAeonuim]

And you can't spell idiot without IoT.

IoTT

Will someone please invent the Internet of Ta-Tas?

Gotta brick 'em all

[Opportunist]

The more the better. Maybe at some point people will stop buying that crap and the whole thing is finally over.

Re:Musk

Well the worst thing he did was call a British expat a Pedo for no good reason - actually no, the worst thing he did was give money to US house republican campaign fundraisers. I guess he's secretly nazi scum.

2nd link is wrong

The second link leads to a 2013 blog post for CVE-2013-6117. Somebody botched the summary

NOT

Go to the next Linux User Group and have them configure something like an RPI to act as a firewalled Wifi router. Cost: $50 HW plus two beers.

SSH Over Internet

...is a very secure technology. Millions of servers use it.

So in theory, you *can* create secure internet-connected devices. You can even prove the internet-facing code mathematically correct. See L4 or INRIA Compcert.

Of course NSA and their Chinese peers won't like secure devices. Neither will the GRU or GCHQ.