Security Commitment and Recommendation

Dahua Vision Technology Co., Ltd. (hereinafter referred to as "Dahua") attaches great importance to cybersecurity and privacy protection, and continues to invest special funds to comprehensively improve the security awareness and capabilities of Dahua employees and provide adequate security for products. Dahua has established a professional security team to provide full life cycle security empowerment and control for product design, development, testing, production, delivery and maintenance. While adhering to the principle of minimizing data collection, minimizing services, prohibiting backdoor implantation, and removing unnecessary and insecure services (such as Telnet), Dahua products continue to introduce innovative security technologies, and strive to improve the product security assurance capabilities, providing global users with security alarm and 24/7 security incident response services to better protect users’ security rights and interests. At the same time, Dahua encourages users, partners, suppliers, government agencies, industry organizations and independent researchers to report any potential risks or vulnerabilities discovered on Dahua devices to Dahua PSIRT, for specific reporting methods, please refer to the cyber security section of Dahua official website.

Product security requires not only the continuous attention and efforts of manufacturers in R&D, production, and delivery, but also the active participation of users that can help improve the environment and methods of product usage, so as to better ensure the security of products after they are put into use. For this reason, we recommend that users safely use the device, including but not limited to:

Account Management

  1. Use complex passwords

    Please refer to the following suggestions to set passwords:

    • The length should not be less than 8 characters;
    • Include at least two types of characters: upper and lower case letters, numbers and symbols;
    • Do not contain the account name or the account name in reverse order;
    • Do not use continuous characters, such as 123, abc, etc.;
    • Do not use repeating characters, such as 111, aaa, etc.

  2. Change passwords periodically

    It is recommended to periodically change the device password to reduce the risk of being guessed or cracked.

  3. Allocate accounts and permissions appropriately

    Appropriately add users based on service and management requirements and assign minimum permission sets to users.

  4. Enable account lockout function

    The account lockout function is enabled by default. You are advised to keep it enabled to protect account security. After multiple failed password attempts, the corresponding account and source IP address will be locked.

  5. Set and update password reset information in a timely manner

    Dahua device supports password reset function. To reduce the risk of this function being used by threat actors, if there is any change in the information, please modify it in time. When setting security questions, it is recommended not to use easily guessed answers.

Service Configuration

  1. Enable HTTPS

    It is recommended that you enable HTTPS to access Web services through secure channels.

  2. Encrypted transmission of audio and video

    If your audio and video data contents are very important or sensitive, we recommend you to use encrypted transmission function in order to reduce the risk of your audio and video data being eavesdropped during transmission.

  3. Turn off non-essential services and use safe mode

    If not needed, it is recommended to turn off some services such as SSH, SNMP, SMTP, UPnP, AP hotspot etc., to reduce the attack surfaces.

    If necessary, it is highly recommended to choose safe modes, including but not limited to the following services:

    • SNMP: Choose SNMP v3, and set up strong encryption and authentication passwords.
    • SMTP: Choose TLS to access mailbox server.
    • FTP: Choose SFTP, and set up complex passwords.
    • AP hotspot: Choose WPA2-PSK encryption mode, and set up complex passwords.

  4. Change HTTP and other default service ports

    It is recommended that you change the default port of HTTP and other services to any port between 1024 and 65535 to reduce the risk of being guessed by threat actors.

Network Configuration

  1. Enable Allow list

    It is recommended that you turn on the allow list function, and only allow IP in the allow list to access the device. Therefore, please be sure to add your computer IP address and supporting device IP address to the allow list.

  2. MAC address binding

    It is recommended that you bind the IP address of the gateway to the MAC address on the device to reduce the risk of ARP spoofing.

  3. Build a secure network environment

    In order to better ensure the security of devices and reduce potential cyber risks, the following are recommended:

    • Disable the port mapping function of the router to avoid direct access to the intranet devices from external network;
    • According to the actual network needs, partition the network: if there is no communication demand between the two subnets, it is recommended to use VLAN, gateway and other methods to partition the network to achieve network isolation;
    • Stablish 802.1x access authentication system to reduce the risk of illegal terminal access to the private network.
Security Auditing

  1. Check online users

    It is recommended to check online users regularly to identify illegal users.

  2. Check device log

    By viewing logs, you can learn about the IP addresses that attempt to log in to the device and key operations of the logged users.

  3. Configure network log

    Due to the limited storage capacity of devices, the stored log is limited. If you need to save the log for a long time, it is recommended to enable the network log function to ensure that the critical logs are synchronized to the network log server for tracing.

Software Security

  1. Update firmware in time

    According to the industry standard operating specifications, the firmware of devices needs to be updated to the latest version in time in order to ensure that the device has the latest functions and security. If the device is connected to the public network, it is recommended to enable the online upgrade automatic detection function, so as to obtain the firmware update information released by the manufacturer in a timely manner.

  2. Update client software in time

    We recommend you to download and use the latest client software.

Physical Protection

It is recommended that you carry out physical protection for devices (especially storage devices), such as placing the device in a dedicated machine room and cabinet, and having access control and key management in place to prevent unauthorized personnel from damaging hardware and other peripheral equipment (e.g. USB flash disk, serial port).