Despite more awareness of the risks associated with Chinese surveillance equipment, the news this week that cameras from the world’s second-largest manufacturer of such devices can be used to secretly listen in to users still comes as a shock. Put simply, the newly disclosed backdoor vulnerability means that millions of cameras have been carrying the potential to be used as eavesdropping devices—even when the audio on the camera is disabled.
“Essentially,” warned Jacob Baines, the researcher who first disclosed the vulnerability with cameras used by both consumers and enterprises, “if this thing is connected directly to the internet, it’s anyone’s listening device.”
The issue impacts Dahua Technology, the second-largest CCTV manufacturer in the world, which—alongside its larger Hangzhou stablemate Hikvision—sells video cameras under its own brand and through a wide range of OEMs. These are cameras deployed widely in the U.S. and Europe. Last year, both those multi-billion-dollar companies were prohibited from U.S. government contracts and applications deemed to have national security restrictions.
Baines initially shared this latest issue with Dahua OEM Armcrest two months ago, reporting that he could “remotely listen” to a tested camera “over HTTP without authentication.” The vulnerability can be seen in action in a video shared by Baines on YouTube. “Pulling apart the firmware for this device,” he pointed out, “it’s clear that it’s a rebranded Dahua camera.”
Now, video surveillance researchers at IPVM have gone further, reporting that this “huge vulnerability” impacts Dahua cameras and firmware more widely. The backdoor “wiretapping vulnerability,” IPVM reports, enables cameras to be used as unauthorized listening devices, with attackers listening to audio captured by the device “even if the camera’s audio has been disabled.”
This isn’t the first such issue to hit Dahua. Two years ago, a backdoor was found on the company’s cameras that was alleged to enable access to devices installed in major corporate customers, with data sent back to China.
On August 2, Dahua issued a security advisory following the disclosure of that initial vulnerability, saying that “some Dahua products’ VideoTalk function has authentication vulnerability—users without authentication can access this function. After Dahua reconstructed the relevant functional code in 2018, this vulnerability no longer exists.” IPVM criticized Dahua for “quietly fixing” the issue after it came to light, but with no immediate public notification.
A Dahua spokesperson told IPVM that the company’s Security Team and R&D Team has “conducted an emergency investigation, and the preliminary results are that this vulnerability does not exist after refactoring—some end-of-life products may have security risks. We have a plan to repair the related products.”
As IPVM points out, while we all worry about the use of IP video cameras—be they surveillance equipment of webcams—to deliver unauthorized streams, we don’t have the same concerns about audio. That cameras might be used as audio eavesdropping endpoints, even if audio is not enabled, is a major concern. In this kind of surveillance, audio has some major benefits over video—primarily because it doesn’t matter whether the camera is covered or where it’s pointing.
“We have not determined what of the dozens of Dahua OEM partners are impacted, outside of Amcrest,” IPVM reported, “but given that Amcrest and Dahua branded cameras are impacted, it is likely that many others have this vulnerability as well.”
Dahua was approached for comments on this latest disclosure.
The most recent firmware fix appears to have locked down the vulnerability—so update right away. But the fact that it existed in the first place will not help China’s manufacturers make their case for the security credentials of their products.