Major move with a major risk for the Chinese manufacturers.
Most recently in the News is The US House of Representatives has passed H.R. 5515, a bill that includes a ban on the US government’s use of Dahua and Hikvision. This follows growing US awareness that Hikvision is owned and controlled by the Chinese government plus last year’s disclosure of Dahua’s backdoor, Hikvision’s backdoor and Dahua device’s global hacking attacks.
As far as these manufacturers and brands are specifically banned, in a good security design, steps should be taken to ensure another layer of security over network is created to take care of these backdoor flaws. The point is while some of them have good products and are available at a price point that most clients can afford.
In another report a major cyber security vulnerability across many Dahua products has been discovered by an independent researcher, reported on IPVM, verified by IPVM and confirmed by Dahua. Some of Dahua HDCVI and IP cameras and recorders are impacted, says Dahua, so far they are listing 11 models but the total will certainly be much higher as they continue to test and confirm. Current firmware Dahua products are vulnerable to this.
Firmware updates are available for over 11 models listed, more should come later this week. When they are, we urge you to immediately upgrade firmware. In an update: Dahua has not listed anymore models but they are hiding / delaying because there are surely far more devices impacted and they must know that (simply because many partners have independently verified many more models impacted). Do not check that list and assume you are safe simply because your device is not listed. Eventually, hopefully, Dahua will disclose all the devices impacted. Backdoors allows remote unauthorized admin access via the web and is therefore extremely severe. Dahua’s statement does not acknowledge this at all.
Dahua says this was an error (‘coding issue’) and was not done intentionally. While only Dahua can know their intentions, such an error in production for so long and so widely would be an extreme engineering failure.
Thanks and credit was recommended for the anonymous researcher Bashis who discovered this vulnerability. This is the 3rd one impacting video surveillance in the past year. He also discovered the Axis critical security vulnerability and QNAP critical security vulnerability. He has done it to improve his own skills, he says, but he has surely helped the industry overall by forcing major manufacturers to take cyber security seriously.
Dace IT is a Managed Service Provider of business intelligence and security solutions for industry. We offer cloud based application security, business analytic software (SaaS), cloud hosting, Intelligent Video Analytic solutions, Internet of Things (IoT), mobile infrastructure management & network security, surveillance cameras and integration services. Visit us online at https://dace-it.us