Login passwords of Dahua devices stored in IoT search engine

ZoomEye, a search engine for discovering IoT devices, was found to contain the login passwords of several thousand Dahua devices.

Ankit Anubhav is the cyber security researcher from NewSky Security, specialising in IoT security, who discovered them. Allegedly, these are for Dahua DVRs running severely out-of-date firmware that’s vulnerable to a 5-year-old exploit.

It turns out that people are still running ancient firmware on their IoT devices, and this particular vulnerability by the name of CVE-2013-6117 was discovered by Jake Reynolds, a security researcher working for Depth Security.

In one of his blog posts, he explained how it’s possible for an attacker to launch a raw TCP connection targeting port 37777 on a Dahua DVR and send a special payload. Upon receiving it, the device responds with DDNS credentials used for logging in, all in plaintext format.

Even though this particular vulnerability was already patched 5 years ago, it seems that the owners of these devices still have an antiquated version of firmware installed on their devices.

Things get especially problematic due to the fact that ZoomEye has been indexing the login credentials of these Dahua devices in a peculiar manner, so a hacker wouldn’t even need to use the procedure described above to get a hold of them. Going through the ZoomEye search engine results is all that’s needed, by using nothing more than a free account.

The owner of ZoomEye doesn’t plan on removing the data, stating that this would not solve the problem.