I had to take my first Dahua system off the public internet because I found that Dahua's proprietary binary protocol did not perform authentication or authorization. I've also been stunned as to how much of an afterthought security seems to be for a product that is, by its definition, a security appliance. I've always marveled at the features provided by these consumer-level DVRs at such a low price point. I've owned 3 home CCTV systems, the most recent two both being DVRs manufactured by Dahua. You should care because an attacker who has guessed or happened to view your device ID can build tunnels into your private network to attack weaknesses in your DVR's various interfaces.I found device IDs on the internet, picked one, tunneled into it, and was able to gain unauthorized access by exploiting a known Dahua issue. These devices support a maximum of 6 character passwords.I found a flaw in the FLIR Cloud that allows anyone build a tunnel to any port on any FLIR Cloud-connected DVR, so long as they have the device ID.The device I received was a Dahua-manufactured DVR.I got a new FLIR/Lorex DVR in hopes of viewing it through the FLIR cloud without exposing it to the internet.For those of you who are already done reading, here's a synopsis of the rest: If an attacker finds a flaw in the cloud, there is no need to scan the internet for DVRs because there's now one place of access to all of them. There would be no inbound access through your firewall and even a vulnerable device would not be exposed to the Internet at large.Ĭloud services can certainly provide security benefits such as not having to expose your CCTV DVR to the internet to view cameras remotely. Any remote access or monitoring would occur by accessing the cloud service. That configuration would allow the DVR or CCTV camera to communicate to the cloud service on the Internet. Instead of allowing inbound access into your own network from the Internet, you could simply enable what is typically a proprietary cloud service for your flavor of device. Case in point: our previous blog post on Dahua DVRs.Ĭloud services seemingly provide a much better access option for these devices. Although effective, that method of access left what was in many cases a potentially vulnerable device exposed to the Internet and your internal network. If the ability to access these systems remotely was required it was most commonly achieved by opening a port on a firewall and allowing access from the Internet to the DVR or camera directly. Traditionally, closed circuit tv (CCTV) cameras and digital video recorders (DVRs) have been stand-alone, self-contained systems.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |