How easy is it to hack these devices?
According to a security researcher going by the name of Bashis, it’s almost laughably easy. The manufacturer stores configuration information for all their products on a web server. Downloading the file is as simple as getting the IP address of the smart device in question.
The hacker simply types the URL into his browser, downloads the file and gains access to full information on all users who have access to the device. Even worse, using simple automation tools, the process can be replicated quickly and easily, enabling a single hacker to take control of a large number of devices single-handedly.
Bashis reported his findings to the company and posted proof of concept code on Github as a demonstration, but later removed the code at Dahua’s request to give the company time to release an update to their firmware.
Dahua has done so, but this vulnerability dates back at least three years. The company’s older equipment does not automatically get updates to its firmware, which means that there are hundreds of thousands, perhaps millions of smart devices that are still vulnerable and easily hackable.
Until those devices are manually updated (which is unlikely) or simply retired from service, they are, and will remain, at serious risk.