Story image

D-Link security cams vulnerable to spying

06 May 2019

Security researchers at ESET have discovered serious security holes in the D-Link DCS-2132L cloud camera, which could allow attackers to connect directly into video streams and manipulate the device’s firmware. Some of the affected cameras are located in Australia and New Zealand.

“The most serious issue with the D-Link DCS-2132L cloud camera is the unencrypted transmission of the video stream. It runs unencrypted over both connections – between the camera and the cloud and between the cloud and the client-side viewer app – providing fertile ground for man-in-the-middle (MitM) attacks and allowing intruders to spy on victims’ video streams,” explain the researchers.

The problem lies in the way the camera and viewer app communicate. They use a proxy server on port 2048, using a TCP tunnel. However only some of the traffic that runs through this tunnel is encrypted. 

This means sensitive information such as camera MAC addresses and IP addresses, video and audio streams, and camera information are sent without encryption. Attackers can easily find this unencrypted information and gain access to the device.

“D-Link DCS-2132L also had a few other minor, yet still concerning, issues. It can set port forwarding to itself on a home router, by using Universal Plug and Play (UPnP). This exposes its HTTP interface on port 80 to the internet and can happen without the user’s consent even with the ‘Enable UPnP presentation’ or ‘Enable UPnP port forwarding’ fields in the settings unchecked,” researchers write.

Researchers expressed concern about the ‘mydlink services’ web browser plugin in the camera, which allows live video playback through a browser. It also uses tunnelling to send and receive traffic. Attackers can also use this to change the camera’s firmware to a version that may be riddled with backdoors or malware.

“At the time of writing, issues with the “mydlink services” plug-in have been successfully fixed by the manufacturer,” they write.

“However, the malicious firmware replacement is still possible via vulnerabilities in the custom D-Link tunneling protocol described earlier.”

“At the time of writing the most recent version of firmware available for download was from November 2016 and did not address the vulnerabilities allowing malicious replacement of the camera’s firmware, as well as interception of audio and video streams.”

The D-Link DCS-2132L camera is still on the market. ESET advises owners to check that port 80 is not exposed to public internet.

“Reconsider the use of remote access if the camera is monitoring highly sensitive areas of their household or company,” researchers conclude.

Forescout strengthens investment in OT security
Forescout’s latest features will provide enterprises with improved productivity, lower risk profiles and faster mitigation of threats.
Hybrid cloud security big concern for business leaders
A new study highlights that IT and security professionals have significant concerns around security for hybrid cloud and multi-cloud environments.
GitHub launches fund to sponsor open source developers
In addition to GitHub Sponsors, GitHub is launching the GitHub Sponsors, GitHub will match all contributions up to $5,000 during a developer’s first year in GitHub Sponsors.
Check Point announces integration with Microsoft Azure
The integration of Check Point’s advanced policy enforcement capabilities with Microsoft AIP’s file classification and protection features enables enterprises to keep their business data and IP secure, irrespective of how it is shared. 
ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.