Security Market Segment LS
Sunday, 05 May 2019 06:38

D-Link camera flaw lets attackers tap into video stream

By
D-Link camera flaw lets attackers tap into video stream Courtesy: D-Link

Researchers at Slovakian security firm ESET claim to have discovered a number of flaws in the D-Link DCS-2132L cloud camera which can allow attackers to tap into the video stream and also manipulate the firmware of the device. A search for devices which had port 80 open on 10 April showed that there were about 1600, mostly in the US, Russia and Australia.

In a blog post, researchers Milan Fránik and Miloš Čermák said the D-Link DCS-2132L cloud camera was a "smart" device which provided access to what it was streaming with a few clicks.

The most serious issue was that the camera transmitted video unencrypted between both the camera and the cloud, and between the camera and the client-side app used for viewing.

This would allow man-in-the-middle attacks and also allowed intruders to spy on victims' video streams, it was claimed.

According to the researchers, the user's viewer app and the camera communicated through a proxy server on port 2048, using a TCP tunnel which was based on a proprietary D-Link tunnelling protocol.

"Unfortunately, only part of the traffic running through these tunnels is encrypted, leaving some of the most sensitive contents – such as the requests for camera IP and MAC addresses, version information, video and audio streams, and extensive camera info – without encryption," the company said.

Another serious issue claimed was that the "mydlink services" browser plugin — which managed the creation of the TCP tunnel, the live video playback at the client end, forwarding of requests for the video and audio data streams through a tunnel, which listened on a dynamically generated port on localhost — was available to the whole operating system.

Given this, all that a user had to do to access the stream was to key in hxxp://127.0.0.1:RANDOM_PORT/ while video was being live-streamed.

dlink shodan

Fránik and Čermák said the issues with this plugin had been fixed by the manufacturer.

"However, the malicious firmware replacement is still possible via vulnerabilities in the custom D-Link tunnelling protocol," they wrote. "To achieve this, an attacker needs to modify the traffic in the tunnel by replacing the video stream GET request with a specific POST request that uploads and runs a bogus firmware 'update'."

ESET said it had informed D-Link about these, and a number of other minor issues, on 22 August 2018. The issues with the plugin was fixed on 28 August.

Screenshot: courtesy ESET

BUSINESS WORKS BETTER WITH WINDOWS 1O. MAKE THE SHIFT

You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer

Timezones

QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.

REGISTER!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments