Categories: NewsSecurity

Second Largest IoT Manufacturer Leaves Devices Open To Hacking

It appears cybercriminals are once again targeting a popular manufacturer of the internet of things hardware. Dahua, the world’s second-largest IoT device manufacturer, had to issue an emerging software patch to address a security flaw found in most of its products. Anyone exploiting this vulnerability can gain remote control over a device by bypassing the login process altogether.

Dahua Exploit Now Available On The Internet

It is unclear if and how many Dahua IoT devices

have been controlled by hackers due to this exploit so far. We do know someone has posted the code online to take advantage of this security flaw and remote control thousands of IoT devices in the process. With the source code up for grabs on the internet, it is only a matter of time until more people will try to take advantage of the situation.

Dahua has been made aware of this software flaw back on March 5th. A security researcher discovered he was able to bypass authentication for Dahua security cameras and DVRs. Since all of these devices are controllable through a local web server, bypassing the authentication protocol could have significant consequences. Rather than entering a username and password, it is possible to trick devices into displaying the username and a hashed value of the password.

Although it is positive to see IoT manufacturers hash a password, the encryption used is rather simple to crack, according to the researcher. To make matters worse, the researcher was able to pass the hash and its username back to the web server to gain access to the device. A major flaw that should not exist in the first place,  yet Dahua somehow missed out on this potential issue during the initial software development and the later QA process.

Related Post

Among the actions a hacker could take are controlling the device remotely, downloading the user database, and gaining full administrator access. Considering how a wide range of IoT devices was used in the recent Mirai botnet attack, vulnerabilities like these could have disastrous consequences for online services and platforms. If Dahua devices are infiltrated successfully, another major denial of service attack can be executed against any target one can think of. Thankfully, the emergency patch solves this problem, albeit the problem should have never existed in the first place.

Considering how simple it is to pull off this hack in the first place, there is plenty of reason to be concerned. Dahua is a well-respected company, yet leaving their devices exposed to such a major flaw will cause a PR nightmare. Dahua has identified a dozen of their product lines being vulnerable to this attack vector, although it is expected more models may suffer from some flaws. Users will need to manually upgrade their device firmware to resolve these issues, although it is unclear how many people will go through the necessary steps to do so.

This isn’t the first time a major Chinese IoT manufacturer has to deal with a significant security flaw either. Hikvision, another major player in the IoT manufacturing sector, has had to issue an emergency update last week. It is evident these types of devices will continue to pose significant security risks. Plenty of consumers and enterprises want to buy cheap IoT devices, yet few people take the necessary precautions to ensure their devices are protected in an optimal manner. Moreover, when manufacturers make bypassing the device authentication service a trivial matter, there is a lot of work to be done moving forward.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.

JP Buntinx

JP Buntinx is a FinTech and Bitcoin enthusiast living in Belgium. His passion for finance and technology made him one of the world's leading freelance Bitcoin writers, and he aims to achieve the same level of respect in the FinTech sector.

Share
Published by
JP Buntinx

Recent Posts

Altcoin Alert: Crypto Market Cap Breaches Key Level Hinting at an 8000x Rally for this Shiba Inu Killer

Shiba Inu (SHIB) gave enormous returns in 2021, making many early holders millionaires. After the…

2 hours ago

XRP Crash? XRP Falls Below $0.5 Resistance Level as Next Gen Altcoin JetBolt Takes Over

Spooky season might be over but doom is still looming as Ripple’s XRP falls below…

5 hours ago

This New Exchange Token Is Poised for a Price Surge Alongside Cardano and Avalanche – Analysts Predict Huge Gains This November

Three promising altcoins are causing a stir among investors this November: Avalanche (AVAX), Cardano (ADA),…

5 hours ago

With Dogecoin Dipping and TRON Holding, Is Lunex the Hottest Crypto Now?  

Everyone knows what the hottest crypto can do. When it was so hot it was…

5 hours ago

Tron Fees To Be Cut In Half Through Proposal 95, Cutoshi Surpasses $600k As TRX Investors Join CUTO Presale

The Tron network has witnessed incredible growth in several areas, especially in its adoption, which…

7 hours ago

$Pepe Whale Sell-Off And Fund Transfers Stir Volatility In Meme Coin Market

Recently, major $PEPE holder Flow Traders transferred 520 billion $PEPE tokens—worth approximately $4.73 million—from address…

15 hours ago