The U.S. House of Representatives has passed a defense policy bill prohibiting the government from purchasing Chinese-made surveillance cameras. Although the Senate still needs to approve the legislation (at least as of May 2018), this is certainly a major step forward in national cybersecurity efforts. This congressional effort has flown largely under the public's radar, but it's vitally important. Here's why:
In 2017, we ran a firmware analysis on the Dahua IPC-HDW4300S security camera. What we found, and subsequently published in our November 2017 firmware vulnerability report, was significant. The camera's firmware (and ultimately, we discovered, the firmware of many Dahua camera models) contained code to allow for remote updates, which is not a problem in and of itself since authentication is required. The glaring problem here, though, was that a username and password were coded directly into the firmware that would always tell the camera that a successful authentication had been performed.
Even more glaringly, the username and password were unencrypted, meaning that virtually anyone -- ReFirm, LeBron James, hackers, whomever -- could tell the firmware that they were authorized to update it. And once authorized to update, of course, any number of malicious exploits could be introduced into the firmware.
As proof of concept, we were then able execute this exploit ourselves, putting our own firmware onto our test camera. This kind of firmware exploit allows for the obvious breaches: Hackers and cyber-espionage units could see everything the camera sees, and even alter the images, for example. But it also allows for less obvious breaches, because once a device on a network is compromised, the whole network is potentially compromised.
That's a huge issue. We don't like to be alarmist, but Chinese hardware in U.S. government networks represents a clear and present national security risk -- and we're glad that Congress is moving on this issue.
The ReFirm November 2017 Firmware Vulnerabilities report contains more detail on the Dahua vulnerabiltiies, as well as firmware vulnerabilities in TRENDnet and Belkin devices. It's available for free:
We discover specific cybersecurity vulnerabilities by first scanning device firmware with Centrifuge, our automated platform that can automatically scan and vet the firmware images of your IoT and other connected devices. If you're curious how Centrifuge can get you started on the road to mitigating the risks of connected devices, you can request a Centrifuge platform demo right here: