Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Passwords for Tens of Thousands of Dahua Devices Cached in IoT Search Engine
#1
[Image: Dahua_glitch.png]

Quote:Login passwords for tens of thousands of Dahua devices have been cached inside search results returned by ZoomEye, a search engine for discovering Internet-connected devices (also called an IoT search engine).

Discovered by Ankit Anubhav, Principal Researcher at NewSky Security, a cyber-security company specialized in IoT security, these passwords are for Dahua DVRs running very old firmware that is vulnerable to a five-year-old vulnerability.

People are still running DVRs with ancient firmware
This vulnerability is CVE-2013-6117, discovered and detailed by Jake Reynolds, a security researcher with Depth Security.

According to the researcher's blog post and to Anubhav, who explained the exploitation process to Bleeping Computer yesterday, an attacker can initiate a raw TCP connection on a Dahua DVR on port 37777 to sent a special payload.

Once a Dahua device receives this payload, it responds with DDNS credentials for accessing the device, and other data, all in plaintext.

The vulnerability has been known since 2013 and has been since patched, but many Dahua device owners have failed to update their equipment, and even to this day have continued to deploy DVRs running the antiquated firmware online.

Dahua passwords indexed in ZoomEye
But while this sounds pretty bad, things are actually worse. Earlier this week, Anubhav discovered that IoT search engine ZoomEye has been indexing these Dahua devices in a peculliar manner.

"The matter of fact is that a hacker doesn't need to exploit this vulnerability because as ZoomEye scans port 37777, it passes these special bytes and cache the output in plaintext, so a hacker just needs to go to ZoomEye, create a free account, and scrap results to get the credentials," Anubhav told Bleeping Computer in a private conversation.

Contacted by Bleeping Computer, the owner of the search engine said "blocking data in ZoomEye doesn't solve the problem," and that he doesn't plan on removing this data.

The NewSky researchers says that he learned of the trick from a post published by the author of the BrickerBot IoT malware, the one who was on a crucade last year, bricking unsecured devices in an attempt to have them go offline instead of being added to IoT botnets.

Anubhav says he was told by the BrickerBot author that he used CVE-2013-6117 to hijack and brick Dahua DVRs in the past.

"Fresh devices keep on being added on ZoomEye, so even if Janitor [the BrickerBot author] bricked some in past, this issue still persists as ZoomEye currently lists recently added devices," Anubhav told us.

Tens of thousands of devices unearthed with just three searchers
A quick search from Bleeping Computer has unearthed a worrisome number of vulnerable devices. For example, we found nearly over 15,800 Dahua devices with a password of "admin", over 14,000 with a password of "123456," and over 600 with a password of "password".

SOURCE
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Thousands of Android and iOS Apps Leak Data From the Cloud Bjyda 0 1,312 03-05-2021 , 12:11 AM
Last Post: Bjyda
  Private information of thousands who received Covid vaccine exposed in HSE blunder Bjyda 0 1,121 02-27-2021 , 11:04 PM
Last Post: Bjyda
  NCSC cyber defence scheme blocked thousands of scams in 2019 Bjyda 0 1,378 02-21-2021 , 12:43 AM
Last Post: Bjyda
  This phishing scam left thousands of stolen passwords exposed through Google search tarekma7 1 1,326 01-23-2021 , 10:24 PM
Last Post: mrtrout
Thumbs Up Introducing Private.sh: A search engine that Cryptographically Protects Your Privacy Sasha 0 1,505 11-20-2019 , 03:16 PM
Last Post: Sasha



Users browsing this thread: 2 Guest(s)