IoT search engine ZoomEye helped achieve a ‘new low’ in the ‘ease of hacking IoT devices.’ Login credentials are cached, so update vulnerable Dahua DVR firmware before someone hacks the device. Credit: Thinkstock When it comes to the internet of extremely insecure things, it’s not a good sign when a security researcher warns that “a new low has been achieved in the ease of hacking IoT devices.”That ease of hacking to which Ankit Anubhav, principal researcher at NewSky Security, was referring is due to the IoT search engine ZoomEye caching the login passwords for tens of thousands of devices; more specifically, thousands of Dahua DVRs.The actual vulnerability in Dahua DVRs, CVE-2013-6117, was discovered way back in 2013 by Depth Security researcher Jake Reynolds. Google/IDGAs you can see by the suggested search results, plenty of people are aware of the 5-year-old flaw. Yet that doesn’t imply that people with Dahua DVRs updated the vulnerable firmware versions 2.608.0000.0 or 2.608.GV00.0 after a patch was made available. What Anubhav discovered was that attackers need not connect to the vulnerable Dahua DVRs to obtain the credentials, since ZoomEye has scanned and stored those credentials for anyone to find.So CVE-2013-6117 = just connect to port 37777 to get the creds which is stored in plaintext. But the attackers do not even need to write code to connect to the port as they can login to public scanner like ZoomEye which store the output of requests in their website and dump it. pic.twitter.com/M2MyYJ16D9— Ankit Anubhav (@ankit_anubhav) July 12, 2018BrickerBot is bricking vulnerable Dahua DVRsIn fact, Anubhav noted that the BrickerBot author has used the IoT search engine site to find and brick vulnerable Dahua DVRs. The BrickerBot botnet, as you likely recall, would brick unsecured IoT devices before they could be added to Mirai or other IoT botnets. The BrickerBot author, “Janitor,” claimed that even though the vulnerability was five years old, ZoomEye’s cache of credentials applied to 30,000 vulnerable Dahua DVR devices. The sheer amount of devices having their credentials stored in a scanning site is just amazing. And this is already abused by BrickerBot author, as he mentioned in his messages to the public that 30,000 devices have this issue.— Ankit Anubhav (@ankit_anubhav) July 12, 2018Anubhav added:Just to make things clear to weaponize the exploit, one needs to connect to port 37777 on raw TCP + send the following message to get the ddns creds “xa3x00x00x00x00x00x00x00x63x6fx6ex66x69x67x00x00x8cx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00” https://t.co/Z6I4uVp9sK— Ankit Anubhav (@ankit_anubhav) July 13, 2018Furthermore, as is commonly the case, thousands upon thousands of devices are “secured” with shoddy passwords.And of course, people here too have not failed to put extremely generic passwords.https://t.co/usZ46tftMT 270 devices have password as “admin123” lol. Brickerbot is known to brick the devices he pwns, so it does not look like a happy ending for these devices. @GDI_FDN — Ankit Anubhav (@ankit_anubhav) July 12, 2018With just three search attempts on ZoomEye, Bleeping Computer’s Catalin Cimpanu found about 30,000 vulnerable Dahua devices: roughly “15,800 Dahua devices with a password of ‘admin’, over 14,000 with a password of ‘123456,’ and over 600 with a password of ‘password’.”Anubhav tweeted:Wow and how did I miss this. 13900+ of these devices have their password as “123456” Check here https://t.co/1fSJX4KcWG#iot #security #fail This specific case was brought to my attention by another known botnet operator. So again, RIP to these devices. https://t.co/OAzmy7GnY8— Ankit Anubhav (@ankit_anubhav) July 13, 2018Although Anubhav had not heard back from the owner of ZoomEye after requesting for the results to be scrubbed, Bleeping Computer was told by the owner that “’blocking data in ZoomEye doesn’t solve the problem’ and that he doesn’t plan on removing this data.”Dahua DVR users should update their firmwareIf you have a Dahua device and don’t have a clue what firmware it is running, Dahua Technology advised finding the model number on your device and entering it in the firmware search tool or using the DVR firmware toolkit which can be downloaded from the same page. Otherwise, as Anubhav pointed out, you might as well say bye-bye to devices running ancient vulnerable firmware when there are sites such as ZoomEye caching credentials and making hacking IoT devices even easier. Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe