Passwords of thousands of Dahua DVRs running old firmware indexed in IoT search engine

Security researchers discovered tens of thousands of passwords of vulnerable Dahua DVRs are indexed in search results churned out by IoT search engine ZoomEye. According to Ankit Anubhav, principal researcher at NewSky Security, the login credentials belong to Dahua devices that run very old firmware and contain a serious vulnerability - CVE-2013-6117 - that dates back to 2013.

Modus Operandi

Attackers exploiting this 5-year-old vulnerability can initiate a raw connection on the targeted connected device to TCP port 37777 to send a payload. After receiving the payload, it actually returns DDNS credentials to access the advice along with a slew of other information in plain text. An remote hacker can easily leverage this vulnerability to bypass authentication, gather sensitive data such as user credentials and use it to change passwords, clear log files and perform other malicious actions.

Although the flaw has since been patched, users who have failed to update their Dahua devices are still vulnerable to attack.

Searchable credentials

Adding insult to injury, researchers have found that IoT search engine ZoomEye actually caches these passwords in the search results it returns. This essentially removes the need for hackers to exploit this vulnerability in order to retrieve the device credentials altogether.

"The matter of fact is that a hacker doesn't need to exploit this vulnerability because as ZoomEye scans port 37777, it passes these special bytes and cache the output in plaintext, so a hacker just needs to go to ZoomEye, create a free account, and scrap results to get the credentials," Anubhav told Bleeping Computer.

Anubhav said he has reached out to ZoomEye to have these passwords removed or blurred. However, the team has yet to respond.

Exploited by BrickerBot

He also noted that the exposed credentials are already being abused by the author of BrickerBot, the destructive botnet that permanently bricks poorly secured IoT devices rather than ensnare them into IoT botnets. The BrickerBot author, also known as The Doctor and The Janitor, said he has previously exploited CVE-2013-6117 to hijack vulnerable Dahua DVRs in the past and render them inoperable. He also noted about 30,000 devices are currently susceptible to this attack.

"Earlier I took [Janitor's] claim lightly as the exploit is about 5 years old, but no seeing credentials raining at ZoomEye... I kind of believe him," Anubhav tweeted. "And of course, people here too have not failed to put extremely generic passwords. 270 devices have password as 'admin123' lol.

"BrickerBot is known to brick the devices he pwns, so it does not look like a happy ending for these devices."