Unpatched Dahua cameras are vulnerable to two authentication bypasses, and the proof-of-concept vulnerabilities disclosed here show that you need to hurry up and upgrade.
Authentication bypass vulnerabilities have been tracked as CVE-2021-33044 and CVE-2021-33045, both of which can be exploited remotely by sending crafted data packets to the target device during the login process.
For more information, please see the proof of concept (PoC) posted on GitHub, which is part of today’s full release.
It’s been a month since Dahua issued a security advisory urging owners of vulnerable models to upgrade their firmware, but given how many of these devices are left unattended after initial installation and setup, it’s possible that many are still running older, vulnerable versions. It is possible that many of them are still running older vulnerable versions.
A vulnerability has been discovered in some Dahua products that bypasses identity authentication during login. An attacker can bypass the device’s identity authentication by sending malicious data packets.
The list of affected models is extensive and covers many of the Dahua cameras, as well as some thermal cameras.
A search on Shodan found over 1.2 million Dahua systems worldwide.
Not all of these devices can be exploited, but it should be made clear that the list of affected models includes some that are widely deployed.
Dahua Technology has been banned from doing business or selling products in the United States after the Chinese surveillance camera vendor was added to the US Department of Commerce’s Entity List in October 2019.
However, there are still tens of thousands of Dahua cameras in active use in Japan, some of which may not be so obvious.
As a recent report from The Intercept details, many of the cameras sold in the US under US (e.g. Honeywell) and Canadian brands are actually using Dahua hardware and even software.
How to protect your device
Besides upgrading the firmware of your Dahua camera to the latest version, you also need to change the password that was set at the time of purchase to something unique and strong. If you leave the root access credentials as “admin” – “admin”, the video will eventually become public.
In addition, if the camera is wireless, enable WPA2 encryption and, if possible, set up a separate, isolated network for the IoT.
In addition, if your camera model supports the cloud, you can get the modified upgrade automatically from the control interface without having to go to Dahua’s download center.
Because the two vulnerabilities were discovered on June 13, 2021, some Dahua cameras have been vulnerable to unauthenticated access for at least 2.5 months, even for those who applied the firmware update as soon as it was released.