How safe are Dahua cameras?
  • I have been a non-professional user of SecuritySpy since 2006. Until last year, I have used only Toshiba and Axis cameras. Last year, though, I have decided to add couple more cameras and have acquired 2nd Gen 1080 Y-Cam and Dahua IPC-HFW4300S; both have been performing to my satisfaction with Security Spy. I have just received DH SD22A204TN GNI W, which I purchased on a strength of a testimonial in another thread at this site; I am planning to install it this weekend. However, I have just run into a fairly recent Internet post which describes apparent vulnerabilities of the Dahua brand:

    (https://www.bleepingcomputer.com/news/hardware/dahua-left-device-credentials-exposed-to-anyone-knowing-where-to-look/)

    To add to my confusion I downloaded ConfigTool for Mac from the Dahua website. When I tried to open it, I got this lovely message from Mac OS:

    "“ConfigTool” can’t be opened because it is from an unidentified developer. Your security preferences allow installation of only apps from the App Store and identified developers."

    I do know how to go around the security setting, but the paranoia has already set in. Why wouldn't Dahua be Apple's identified developer? Am I possibly giving, or have given already, access to my computer to Chinese intelligence agencies?

    Has anyone else been sharing my concerns, or am going nuts? Could someone comment on the vulnerability described in the above-linked post? When I install a Dahua camera on my network, is the camera "talking" to an outside server? Is the ConfigTool safe to use?

    Thanks in advance for your comments.
  • Vulnerabilities in IP cameras are discovered from time to time - it's not necessarily malevolent intent on behalf of the manufacturers, but more usually down to a lack of focus on security when they implement various parts of the camera's firmware.

    The post you link to is worrying, however you can protect yourself from such vulnerabilities by preventing the camera from being accessible from incoming connections from the Internet. You do this by the following:

    - Don't set up any port forwarding rules in your router that point to the camera's IP address.

    - If you see any "UPnP" or "NAT-PMP" setting in the camera's firmware, turn it off. These protocols allow the camera to automatically configure port forwarding in the router.

    Most routers will display a table that shows all the port forwarding rules in effect - here you should see some for SecuritySpy (if you have set up remote access to SecuritySpy), but not to the cameras.

    The above will stop incoming connections from the Internet to the camera, however if you want to take this a step further and prevent the camera from making any outgoing connections to the Internet, you can do so like this:

    - Set the camera's IP setup to manual, rather than DHCP.
    - Give your camera a manually-assigned IP address on your local network.
    - Specify a subnet mask of 255.255.255.0
    - Do NOT specify a router address or DNS servers.

    With just an IP address and a subnet mask, the camera will be available to other devices on the local network (e.g. SecuritySpy), but without a router address or a DNS server address, the camera won't be able to make outgoing connections to the Internet.

    However, it is useful to allow the camera to make outgoing connections to the Internet (e.g. to connect to a time server to keep its clock accurate), so I wouldn't really recommend this.

    As for the "unidentified developer" message, this is unfortunately common for IP camera manufacturers, who don't spend much effort on the Mac software. It doesn't necesarilly indicate anything sinister - just laziness. Fortunately you don't ned this tool in order to set up the camera - see our instructions Connecting to a Camera Over Ethernet for initial setup for the camera.
  • Thank you Ben for taking time to comment and for doing i so quickly and so thoroughly. On my router, I do have rules for port forwarding to the computer running SecuritySpy. Nothing else in the tables, so I should be fine. Thank you again!
  • Drew,

    The "unidentified developer" message you received in OS X / macOS is a security feature in the operating system, called "Gatekeeper".

    Read more: https://support.apple.com/en-us/HT202491 (or find other sites that describe Gatekeeper in more detail). That particular Apple support article is a bit old, but the feature is similar still.

    It's not nefarious - it's to allow the OS to help you avoid installing software without your express permission. You can easily override it temporarily to install software from a source you choose to trust (Dahua), then turn it back on once the install is complete.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!