Passwords For Tens of Thousands of Dahua Devices Cached In IoT Search Engine

An anonymous reader writes: "Login passwords for tens of thousands of Dahua devices have been cached inside search results returned by ZoomEye, a search engine for discovering Internet-connected devices (also called an IoT search engine)," reports Bleeping Computer. A security researcher has recently discovered that instead of just indexing IoT devices, ZoomEye is also sending an exploitation package to devices and caching the results, which also include cleartext DDNS passwords that allow an attacker remote access to these devices. Searching for the devices is trivial and simple queries can unearth tens of thousands of vulnerable Dahua DVRs. According to the security researcher who spotted these devices, the trick has been used in the past year by the author of the BrickerBot IoT malware, the one who was on a crusade last year, bricking unsecured devices in an attempt to have them go offline instead of being added to IoT botnets.

Re:

[ArchieBunker]

People were always on his dick like a cult leader. Can't wait to see how his followers spin this. Oh and are these the dirt cheap DVRs like Harbor Freight sells?

Re:

[Anonymous Coward]

You're not a millennial. You wouldn't understand.

The rest of us want Facebook integration with our door locks and bank deposit boxes.

Re:Chinese crap

[arglebargle_xiv]

Dahua actually make pretty top-shelf gear. They also OEM for half the high-end video camera systems out there, so the "Made in USA" system you'll end up buying in place of your "Chinese crap" at five times the price could well be a Dahua under the hood. Or, more likely something far worse than Dahua.

In addition:

The vulnerability has been known since 2013 and has been since patched, but many Dahua device owners have failed to update their equipment, and even to this day have continued to deploy DVRs running the antiquated firmware online.

While technically correct, this is rather misleading. Dahua don't sell to or deal with end users, so the device owners have nothing to do with the problem, it'll either have been set up by a Dahua-approved vendor or be under a completely different name as an OEM, one who lasted update their firmware in 2010.

Re:

[arglebargle_xiv]

Argh, posted too early: Dahua is the second largest manufacturer of security cameras in the world (top is Hikvision). That's what I meant when I said your expensive "Made in USA" system will most likely be "Chinese crap" (as you put it, not me) under the hood.

Re:

[denzacar]

They also OEM for half the high-end video camera systems out there, so the "Made in USA" system you'll end up buying in place of your "Chinese crap" at five times the price could well be a Dahua under the hood.

No wonder they do that, with a name that I keep reading as Dachau.

Or, more likely something far worse than Dahua.

What? Like making a holographic projector and branding it Holocast?

Re:

[gweihir]

You mean one should buy Cisco instead with minimally more sophisticated backdoors?

But I admit, I do not have a good solution for most people. Personally, I use a Linux box as a router, and people with some technical skills may use something with pfSense, but ordinary users are pretty much screwed at this time.

Re:

[olsmeister]

If they want to watch the deer come into the back yard and eat apples that have fallen onto the ground, they are welcome to.

Re: internet cameras and security?

[Anonymous Coward]

But what if the deer wants some privacy. Its bad enough your watching them. Must the whole world watch too. ;-)

Re:

[olsmeister]

Well, by deer, I mean neighbors. And by eat apples, I mean have sex.

IoT Security

[dc29A]

Remember, the 'S' in IoT is for 'Security'.

Re:

[ChromeAeonuim]

And you can't spell idiot without IoT.

Gotta brick 'em all

[Opportunist]

The more the better. Maybe at some point people will stop buying that crap and the whole thing is finally over.