Independent researchers have uncovered a major vulnerability in many Dahua products, allowing remote unauthorised admin access via the web. The researchers say that a number of the Dahua HDCVI and IP cameras and recorders are impacted. Cesare Garlati, Chief Security Strategist at the prpl Foundation commented below.

Cesare Garlati, Chief Security Strategist at the prpl Foundation:

Cesare Garlati“We need to change the mindset of industry and government to realise that there is no such thing as a “secure backdoor”. Hackers have already used backdoors to illegally access networks (as seen in the Deutsche Telekom attack last year) and they will continue doing it until we learn that it is not possible to have a backdoor and still be completely secure. In the case of Deutsche Telekom they were able to issue a patch, but companies need to be more proactive rather than reactive. If we don’t take steps now to improve security within devices at the development level, the results could be catastrophic, especially when used to capture data and images like with a surveillance camera. At best, people’s privacy and civil liberties will be affected and at worst, poor security controls will mean cybercriminals will have access to a whole host of information they can use for surveillance or other nefarious purposes. By using open source, forging a root of trust in hardware and security by separation using hardware virtualization, manufacturers of IoT devices will be able to ensure they are secure and stop devices like the Chinese surveillance cameras being hacked. Interoperable, open standards are the key requirement for developers in order to improve IoT security even in the smallest of connected devices, and are outlined in prpl’s Security Guidance for Critical Areas of Embedded Computing document.”

Information Security Buzz