Nozomi probes deeper into security vulnerability that hackers can exploit to compromise Dahua IP cameras

Industrial cybersecurity Nozomi Networks disclosed details of a new vulnerability affecting the implementation of the Open Network Video Interface Forum (ONVIF) ‘WS-UsernameToken’ authentication mechanism in some IP cameras developed by Dahua. Attackers can potentially exploit the security loophole to compromise network cameras by sniffing a previous unencrypted ONVIF interaction and replaying the credentials in a new request towards the camera.

Apart from the authentication bypass by capture-replay, the Cybersecurity and Security Agency (CISA) announced last month the presence of other security vulnerabilities across the Dahua IP cameras. These include unrestricted upload of files of dangerous types and the generation of error messages containing sensitive information.

Headquartered in Hangzhou, China, Dahua is a manufacturer of IP-based surveillance solutions.

“During one of our research projects, we purchased an IPC-HDBW2231E-S-S2, which is a dome network camera manufactured by Dahua,” according to a blog post by Nozomi Networks Labs. “While investigating ways to extract device fingerprinting information, we sent the following non-state changing GetScope ONVIF request from the authenticated demo_admin administrator account. It returns the public scope parameters of the device used in the discovery phase to match a probe message.”

When trying to send this exact request a second time, the device accepted the request and replied again with the same response, Nozomi said. “This is a reasonably safe behavior, given the non-sensitive nature of the information required.”

However, Nozomi investigated this condition further, verifying that it applies only to minor requests. “So, we tried forging a CreateUsers request that surreptitiously adds an attacker-controlled administrator. We used the same authentication data as the previous request, from a different IP address, and approximately 30 hours after the transmission of the GetScopes request.”

Subsequently, the device accepted the request and created the attacker-controlled administrator, Nozomi said. “We were then able to use this newly created account to access the device with full privileges, to include watching live footage from the camera.” 

“To mount this attack, an adversary must be able to sniff one unencrypted ONVIF request authenticated with the WS-UsernameToken schema,” Nozomi said. Unfortunately, this is not uncommon, as the WS-UsernameToken is still used by default by many popular ONVIF clients, such as ONVIF Device Manager or DSE VMS. Furthermore, the IPC-HDBW2231E-S-S2 (like other Dahua devices) does not expose an HTTPS service, and all ONVIF interactions occur through unencrypted HTTP. “We are hoping that in the real world, asset owners are not using the default WS credentials and are using HTTPS for secure connections in order to prevent such an attack from occurring,” the post added.

Besides other authentication mechanisms, the ONVIF specification still accepts WS-UsernameToken, which is described in the OASIS specification document, Nozomi said. WS-UsernameToken relies on the transmission of the data to authenticate a request, such as a username for a certified user; nonce or a random, unique number generated by a client; created the UtcTime when the request is made; and the password for a certified user.

According to the ONVIF standard, for web service producers to thwart replay attacks, it is recommended that they reject any UsernameToken not using nonce and creation timestamps. They must also provide a timestamp ‘freshness’ limitation and that any UsernameToken with ‘stale’ timestamps be rejected. As a guideline, a value of five minutes can be used as a minimum to detect and thus reject replays. Additionally, it is recommended that used nonces be cached for a while, at least as long as the timestamp freshness limitation period above, and the UsernameToken with nonces have already been used (and are thus in the cache) being rejected.

The ONVIF is an open industry forum for the interoperability of IP-based physical security products. ONVIF-conformant products can be accessed through vendor-agnostic software through standardized Application Programming Interfaces (APIs). The APIs allow a user to perform various actions on the remote device, such as watching camera footage, locking or unlocking a smart door, and performing maintenance operations. Under the hood, ONVIF requests are mostly transmitted through XML SOAP messages via HTTP. 

Surveillance cameras are used across critical infrastructure sectors such as oil and gas, power grids, and telecommunications, in addition to building security. The cameras are used to oversee many production processes, providing remote visibility to process engineers. Threat actors, nation-state threat groups, in particular, could be interested in hacking IP cameras to help gather intel on the equipment or production processes of the target company. The information could aid in reconnaissance conducted before launching a cyberattack. With more knowledge of the target environment, hackers could craft custom attacks that can physically disrupt production processes in critical infrastructure.

Upon notification from Nozomi Networks Labs, China-based Dahua released a patch to solve the vulnerability. Users must update vulnerable devices to the latest available firmware version. As for defense-in-depth approaches, Nozomi advises reducing the exposure of devices on the public internet to the bare minimum and always accessing them through secure protocols such as HTTPS, which would have impeded any exploitation of the issue.

Last June, the CISA announced the presence of a security vulnerability in ThroughTek P2P (Peer-to-Peer) SDK that allows cleartext transmission of sensitive information, such as camera audio/video feeds. Nozomi had reported the vulnerability to CISA, which affects a software component, part of the supply chain for many OEMs (original equipment manufacturers) of consumer-grade security cameras and IoT devices.

Nozomi also discovered in April a new variant of the BotenaGo malware that specifically targets Lilin security camera DVR devices, exposing millions of IoT devices deployed across numerous operating environments. The sample has been named ‘Lillin scanner’ after the name the developers used for it in the source code.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.