Positive Technologies, a global provider of enterprise security solutions for vulnerability and compliance management, incident and threat analysis, and application protection released an announcement about a critical vulnerability it discovered in firmware of Dahua IP cameras, which are widely used for video surveillance, offering a solution to all who are affected.

“The flaw discovered by Positive Technologies researchers affects hundreds of thousands of cameras all over the world produced by Dahua both under its own brand and as OEM models for other brands,” said Ilya Smith, security researcher at Positive Technologies. 

A vulnerability CVE-2017-3223 gained the highest CVSS base score of 10. This security flaw occurs due to buffer overflow in the Sonia Web interface designed for remote control of the IP camera. An unauthorized user may submit a crafted POST request to the vulnerable Web interface and gain privileged access remotely, which means unlimited control over the IP camera. 

“This vulnerability allows any actions with the camera via software: intercept and modify video traffic, add a device into a botnet to conduct a DDoS attack like Mirai, and much more,” Smith said. “Dahua is the second largest manufacturer of IP cameras and DVRs in the world, but the discovered vulnerability can be easily exploited, which once again demonstrates the actual IoT security level.”

Smith added, “Many of the organizations affected by this likely don’t know that their surveillance cameras are vulnerable to attack,” Smith said, “which is why Positive Technologies made this announcement — to raise awareness of the issue.” 

Users and organizations will first need to check if their devices are vulnerable, then update each vulnerable device’s firmware at www1.dahuasecurity.com/firmware_161.html. Further information about the vulnerability is also available on the CERT website of Carnegie Mellon University [http://www.kb.cert.org/vuls/id/547255].

“This vulnerability allows any actions with the camera via software: intercept and modify video traffic, add a device into a botnet to conduct a DDoS attack like Mirai, and much more,” Smith described. “Dahua is the second largest manufacturer of IP cameras and DVRs in the world, but the discovered vulnerability can be easily exploited, which once again demonstrates the actual IoT security level.”

According to the research by Positive Technologies, malicious users can get access to over 3.5 million IP cameras all over the world. Moreover, about 90 percent of all DVR systems currently used by small and medium-sized businesses for video surveillance contain certain vulnerabilities and thus can be hacked.

This is not the first partnership between the two companies. In 2013, Positive Technologies helped identify and fix multiple vulnerabilities in Dahua DVR.

As part of a response to this issue, Dahua Technology USA announced a comprehensive set of cyber security initiatives that have been underway for most of 2017. 

“We cannot stress the importance and need for industry professionals to employ cyber security best practices, especially with the previous vulnerability issues Dahua faced back in March,” said Janet Fenner, head of marketing for Dahua North America. “Dahua issued a firmware patch that fixed this specific problem in March 2017 and alerted customers to install new firmware patches.”

Moving forward, Dahua reported in a press release, the company will be implementing new cyber security initiatives incorporated into its products on a global basis including a wide range of activities designed to improve the security of video surveillance products themselves, as well as to improve the security of broader processes, including installation, deployment, and ongoing management. For example, one initiative focuses on authentication for administrative access. As a result, default accounts are no longer included in new devices, with changes implemented in the installation, admin access, and ongoing management processes. Other initiatives resulted in similar broad impacts, including better management of identities, session security, data security, and more.

For current and recent products, many benefits of these initiatives are available in the form of firmware and/or software updates, which will be distributed using software update processes to ensure the enhancements are implemented smoothly. The updated cyber security features were designed and validated in partnership with independent experts including DBAPP Security and Synopsys Technology to ensure the highest security and quality, Dahua reported.