It appears cybercriminals are once again targeting a popular manufacturer of the internet of things hardware. Dahua, the world’s second-largest IoT device manufacturer, had to issue an emerging software patch to address a security flaw found in most of its products. Anyone exploiting this vulnerability can gain remote control over a device by bypassing the login process altogether.
Dahua Exploit Now Available On The Internet
It is unclear if and how many Dahua IoT devices have been controlled by hackers due to this exploit so far. We do know someone has posted the code online to take advantage of this security flaw and remote control thousands of IoT devices in the process. With the source code up for grabs on the internet, it is only a matter of time until more people will try to take advantage of the situation.
Dahua has been made aware of this software flaw back on March 5th. A security researcher discovered he was able to bypass authentication for Dahua security cameras and DVRs. Since all of these devices are controllable through a local web server, bypassing the authentication protocol could have significant consequences. Rather than entering a username and password, it is possible to trick devices into displaying the username and a hashed value of the password.
Although it is positive to see IoT manufacturers hash a password, the encryption used is rather simple to crack, according to the researcher. To make matters worse, the researcher was able to pass the hash and its username back to the web server to gain access to the device. A major flaw that should not exist in the first place, yet Dahua somehow missed out on this potential issue during the initial software development and the later QA process.
Among the actions a hacker could take are controlling the device remotely, downloading the user database, and gaining full administrator access. Considering how a wide range of IoT devices was used in the recent Mirai botnet attack, vulnerabilities like these could have disastrous consequences for online services and platforms. If Dahua devices are infiltrated successfully, another major denial of service attack can be executed against any target one can think of. Thankfully, the emergency patch solves this problem, albeit the problem should have never existed in the first place.
Considering how simple it is to pull off this hack in the first place, there is plenty of reason to be concerned. Dahua is a well-respected company, yet leaving their devices exposed to such a major flaw will cause a PR nightmare. Dahua has identified a dozen of their product lines being vulnerable to this attack vector, although it is expected more models may suffer from some flaws. Users will need to manually upgrade their device firmware to resolve these issues, although it is unclear how many people will go through the necessary steps to do so.
This isn’t the first time a major Chinese IoT manufacturer has to deal with a significant security flaw either. Hikvision, another major player in the IoT manufacturing sector, has had to issue an emergency update last week. It is evident these types of devices will continue to pose significant security risks. Plenty of consumers and enterprises want to buy cheap IoT devices, yet few people take the necessary precautions to ensure their devices are protected in an optimal manner. Moreover, when manufacturers make bypassing the device authentication service a trivial matter, there is a lot of work to be done moving forward.
If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.