IoT search engine ZoomEye cached passwords for tens of thousands of Dahua DVRs

IoT search engine ZoomEye helped achieve a ‘new low’ in the ‘ease of hacking IoT devices.’ Login credentials are cached, so update vulnerable Dahua DVR firmware before someone hacks the device.

IoT search engine ZoomEye cached passwords for thousands of Dahua DVRs
Thinkstock

When it comes to the internet of extremely insecure things, it’s not a good sign when a security researcher warns that “a new low has been achieved in the ease of hacking IoT devices.”

That ease of hacking to which Ankit Anubhav, principal researcher at NewSky Security, was referring is due to the IoT search engine ZoomEye caching the login passwords for tens of thousands of devices; more specifically, thousands of Dahua DVRs.

The actual vulnerability in Dahua DVRs, CVE-2013-6117, was discovered way back in 2013 by Depth Security researcher Jake Reynolds.

dahua dvr vulnerability Google/IDG

As you can see by the suggested search results, plenty of people are aware of the 5-year-old flaw. Yet that doesn’t imply that people with Dahua DVRs updated the vulnerable firmware versions 2.608.0000.0 or 2.608.GV00.0 after a patch was made available.

What Anubhav discovered was that attackers need not connect to the vulnerable Dahua DVRs to obtain the credentials, since ZoomEye has scanned and stored those credentials for anyone to find.

BrickerBot is bricking vulnerable Dahua DVRs

In fact, Anubhav noted that the BrickerBot author has used the IoT search engine site to find and brick vulnerable Dahua DVRs. The BrickerBot botnet, as you likely recall, would brick unsecured IoT devices before they could be added to Mirai or other IoT botnets. The BrickerBot author, “Janitor,” claimed that even though the vulnerability was five years old, ZoomEye’s cache of credentials applied to 30,000 vulnerable Dahua DVR devices.

Anubhav added:

Furthermore, as is commonly the case, thousands upon thousands of devices are “secured” with shoddy passwords.

With just three search attempts on ZoomEye, Bleeping Computer’s Catalin Cimpanu found about 30,000 vulnerable Dahua devices: roughly “15,800 Dahua devices with a password of ‘admin’, over 14,000 with a password of ‘123456,’ and over 600 with a password of ‘password’.”

Anubhav tweeted:

Although Anubhav had not heard back from the owner of ZoomEye after requesting for the results to be scrubbed, Bleeping Computer was told by the owner that “’blocking data in ZoomEye doesn't solve the problem’ and that he doesn’t plan on removing this data.”

Dahua DVR users should update their firmware

If you have a Dahua device and don’t have a clue what firmware it is running, Dahua Technology advised finding the model number on your device and entering it in the firmware search tool or using the DVR firmware toolkit which can be downloaded from the same page.

Otherwise, as Anubhav pointed out, you might as well say bye-bye to devices running ancient vulnerable firmware when there are sites such as ZoomEye caching credentials and making hacking IoT devices even easier.

Copyright © 2018 IDG Communications, Inc.

What is security's role in digital transformation?