Manufacturer responds to hint from students

Das Projektteam bei einer Exkursion mit der Hochschule Offenburg im nationalen IT-Lagezentrum des Bundesamts für Sicherheit der Informationstechnik (v.l.n.r.): Johann Betz, Thomas Vogt, Dennis Barnekow, Daniel Nussko, Philipp Rombach, Florian Losch, Dr. Christian Eibl (Leiter des Lagezentrums).

Thomas Vogt, Daniel Nussko, Florian Losch, Philipp Rombach and Dennis Barnekow, all students of the Enterprise and IT-Security (ENITS) Master's course at the University of Applied Sciences Offenburg, had analyzed different camera models within the project "Cybersecurity analysis of an IoT device" supervised by Professor Dr. Dirk Westhoff. In the past, this vendor's devices were exploited for botnets and large-scale distributed denial-of-service attacks. This made the newly identified vulnerabilities especially critical. According to the students' research a total of nine camera models from the Chinese manufacturer Dahua could be attacked and forced into a botnet via security vulnerabilities, some of which have been classified as critical. Attackers could, for example, read passwords and even execute malicious code.

The project team had informed Dahua through its own "Responsible Disclosure" procedure and provided the responsible Computer Security Incident Response Team (CSIRT) with all details regarding the vulnerabilities. As a result, the development department worked intensively on security updates. These are now available for download and must be installed manually by the user. The warning message also contains further information about the affected camera models and the vulnerabilities.