Man-in-the-Middle vulnerabilities in D-Link cameras

News by Robert Abel

Attackers could tap into video streams of affected devices

A series of vulnerabilities in the D-Link DCS-2132L cloud camera allow attackers to remotely tap into the video streams of the devices and also manipulate the device’s firmware.

The vulnerabilities included unencrypted cloud communication, insufficient cloud message authentication and unencrypted LAN communication, according to an ESET blog post.

A threat actor can intercept video and audio feeds in a man-in-the-middle (MitM) attack by intercepting network traffic between the viewer app and the cloud or between the cloud and the camera because the transmission of the streams between the camera and the cloud and between the cloud and the client-side viewer app are unencrypted.

The flaw can be traced back to a condition within the request.c file, part of the D-Link customized open source boa web server source code, that handles HTTP requests to the camera. All of the HTTP requests from 27.0.0.1 are elevated to the admin level, granting a potential attacker full access to the device, researchers found.

Researchers also spotted issues in the device’s "mydlink services" web browser plug-in which allows any application or user on the client’s computer to simply access the camera’s web interface by a simple request without any authorization.

The vulnerability also allows an attacker to replace the legitimate firmware with their own rigged backdoor version.

Researchers also spotted other issues described as "minor, yet still concerning" including exposure in its HTTP interface on port 80 to the internet that can happen without the user’s consent. It was unclear why the devices used such a hazardous setting, researchers said.

The issues were promptly reported and as of 2 May, some of the vulnerabilities have since been mitigated while others remain, according to the post.

Researchers found the "mydlink services" plug-in is now properly secured, although other issues persist and the most recent version of firmware available for download did not address the vulnerabilities, allowing malicious replacement of the camera’s firmware, as well as interception of audio and video streams.

Current users of the device are advised to check that port 80 isn’t exposed to the public internet and reconsider the use of remote access if the camera is monitoring highly sensitive areas of their household or company, the post said.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop