Login passwords for tens of thousands of Dahua devices have been cached inside search results returned by ZoomEye, a search engine for discovering Internet-connected devices (also called an IoT search engine).
Discovered by Ankit Anubhav, Principal Researcher at NewSky Security, a cyber-security company specialized in IoT security, these passwords are for Dahua DVRs running very old firmware that is vulnerable to a five-year-old vulnerability.
People are still running DVRs with ancient firmware
This vulnerability is CVE-2013-6117, discovered and detailed by Jake Reynolds, a security researcher with Depth Security.
According to the researcher’s blog post and to Anubhav, who explained the exploitation process to Bleeping Computer yesterday, an attacker can initiate a raw TCP connection on a Dahua DVR on port 37777 to sent a special payload.
Once a Dahua device receives this payload, it responds with DDNS credentials for accessing the device, and other data, all in plaintext.
The vulnerability has been known since 2013 and has been since patched, but many Dahua device owners have failed to update their equipment, and even to this day have continued to deploy DVRs running the antiquated firmware online.
Dahua passwords indexed in ZoomEye
But while this sounds pretty bad, things are actually worse. Earlier this week, Anubhav discovered that IoT search engine ZoomEye has been indexing these Dahua devices in a peculliar manner.
“The matter of fact is that a hacker doesn’t need to exploit this vulnerability because as ZoomEye scans port 37777, it passes these special bytes and cache the output in plaintext, so a hacker just needs to go to ZoomEye, create a free account, and scrap results to get the credentials,” Anubhav told Bleeping Computer in a private conversation.
Anubhav has attempted to get in contact with the ZoomEye team to have this cached passwords removed or blurred from results. A request from Bleeping Computer earlier today has also gone without a response.
The NewSky researchers says that he learned of the trick from a post published by the author of the BrickerBot IoT malware, the one who was on a crucade last year, bricking unsecured devices in an attempt to have them go offline instead of being added to IoT botnets.
Anubhav says he was told by the BrickerBot author that he used CVE-2013-6117 to hijack and brick Dahua DVRs in the past.
“Fresh devices keep on being added on ZoomEye, so even if Janitor [the BrickerBot author] bricked some in past, this issue still persists as ZoomEye currently lists recently added devices,” Anubhav told us.
Tens of thousands of devices unearthed with just three searchers
A quick search from Bleeping Computer has unearthed a worrisome number of vulnerable devices. For example, we found nearly over 15,800 Dahua devices with a password of “admin”, over 14,000 with a password of “123456,” and over 600 with a password of “password”.
That’s around 30,000 Dahua devices running older firmware and ready for the taking, and we found them with just three queries.