Alarms were set off after a backdoor into internet-connected devices manufactured by Dahua Technology were made public.
Independent security researcher Graham Cluley, writing on The State of Security, a Tripwire blog, reported that proof-of-concept code was made public capable of automating attacks against IP cameras and recorders made by Dahua Technology.
The Irvine, Calif.-based company issued an advisory on March 6 in response to a researcher named Bashis claiming he found a backdoor into the devices which could enable remote attackers to penetrate the systems to siphon out the device's database of user credentials and passwords, Cluley wrote.
Bashis went public with the flaw rather than notify the company stating that he wanted to avoid hearing the company's excuses. After Bashis released the PoC code, Dahua requested he withdraw it. However, Bashis said he would republish it on April 5 should the company fail to act.
Dahua responded. In its advisory on March 6, the company released firmware updates that address the flaw in 11 of its devices. Additionally, the company said it is further investigating to make certain none of its other devices are affected.
UPDATE However, on March 9, SC Media was contacted by Brian Karas, who leads market research for IPVM, which provides news, reviews and test results on IP cameras and more. Karas said that this issue is not fully addressed by Dahua.
"There are many Dahua devices that still do not have patched firmware," he informed SC Media. "From what we have seen, the number of devices without a patch is several times larger than those with a patch. This includes their IP intercom units, which were not even evaluated initially, but later found to have the same issue."
IPVM members, who include Dahua resellers and OEMs, have so far reported that every Dahua device/variant tested has been susceptible to this exploit, Karas told SC.