Congress Bans Chinese Dahua Cameras with ReFirm-Discovered Vulnerabilities

by | May 31, 2018

The U.S. House of Representatives has passed a defense policy bill prohibiting the government from purchasing Chinese-made surveillance cameras. Although the Senate still needs to approve the legislation (at least as of May 2018), this is certainly a major step forward in national cybersecurity efforts. This congressional effort has flown largely under the public’s radar, but it’s vitally important. Here’s why:

In 2017, we ran a firmware analysis on the Dahua IPC-HDW4300S security camera. What we found, and subsequently published in our November 2017 firmware vulnerability report, was significant. The camera’s firmware (and ultimately, we discovered, the firmware of many Dahua camera models) contained code to allow for remote updates, which is not a problem in and of itself since authentication is required. The glaring problem here, though,  was that a username and password were coded directly into the firmware that would always tell the camera that a successful authentication had been performed.

Even more glaringly, the username and password were unencrypted, meaning that virtually anyone — ReFirm, LeBron James, hackers, whomever — could tell the firmware that they were authorized to update it. And once authorized to update, of course, any number of malicious exploits could be introduced into the firmware.

As proof of concept, we were then able execute this exploit ourselves, putting our own firmware onto our test camera. This kind of firmware exploit allows for the obvious breaches: Hackers and cyber-espionage units could see everything the camera sees, and even alter the images, for example. But it also allows for less obvious breaches, because once a device on a network is compromised, the whole network is potentially compromised.

That’s a huge issue. We don’t like to be alarmist, but Chinese hardware in U.S. government networks represents a clear and present national security risk — and we’re glad that Congress is moving on this issue.

The ReFirm November 2017 Firmware Vulnerabilities report contains more detail on the Dahua vulnerabilities, as well as firmware vulnerabilities in TRENDnet and Belkin devices. It’s available for free on our Resources page:

Other News
ITPro TV Interviews ReFirm Labs Founder at RSA Conference

ITPro TV Interviews ReFirm Labs Founder at RSA Conference

Daniel: All right welcome back to IT Pro TV. I'm your host Daniel our we're here back at RSA 2018 here in San Francisco. I'm here with Terry Dunlap from ReFirm Labs. Terry, can do us a favor tell us a little about yourself in your company? Terry: Sure. I started...

Spying Eyes: Chinese-made Security Cameras a Clear and Present Danger

Spying Eyes: Chinese-made Security Cameras a Clear and Present Danger

6 Min video We are rapidly becoming a surveillance state. That’s not all bad. The threat of terrorism has created a dangerous world and surveillance can help with our security. But do we need to watch the eyes watching us? The answer may be yes. Believe it or not, we...

ReFirm Labs & FOX 5 News DC Hack Camera to Steal a Car

ReFirm Labs & FOX 5 News DC Hack Camera to Steal a Car

2:28 Min video New research from a Maryland technology company has uncovered security flaws in home security cameras that could allow hackers to watch you or even manipulate the cameras to steal from you. FOX 5 linked up with those researchers from ReFirm Labs in...