In a blog post, researchers Milan Fránik and Miloš Čermák said the D-Link DCS-2132L cloud camera was a "smart" device which provided access to what it was streaming with a few clicks.
The most serious issue was that the camera transmitted video unencrypted between both the camera and the cloud, and between the camera and the client-side app used for viewing.
This would allow man-in-the-middle attacks and also allowed intruders to spy on victims' video streams, it was claimed.
"Unfortunately, only part of the traffic running through these tunnels is encrypted, leaving some of the most sensitive contents – such as the requests for camera IP and MAC addresses, version information, video and audio streams, and extensive camera info – without encryption," the company said.
Another serious issue claimed was that the "mydlink services" browser plugin — which managed the creation of the TCP tunnel, the live video playback at the client end, forwarding of requests for the video and audio data streams through a tunnel, which listened on a dynamically generated port on localhost — was available to the whole operating system.
Given this, all that a user had to do to access the stream was to key in hxxp://127.0.0.1:RANDOM_PORT/ while video was being live-streamed.
Fránik and Čermák said the issues with this plugin had been fixed by the manufacturer.
"However, the malicious firmware replacement is still possible via vulnerabilities in the custom D-Link tunnelling protocol," they wrote. "To achieve this, an attacker needs to modify the traffic in the tunnel by replacing the video stream GET request with a specific POST request that uploads and runs a bogus firmware 'update'."
ESET said it had informed D-Link about these, and a number of other minor issues, on 22 August 2018. The issues with the plugin was fixed on 28 August.
Screenshot: courtesy ESET