Story image

D-Link security cams vulnerable to spying

06 May 2019

Security researchers at ESET have discovered serious security holes in the D-Link DCS-2132L cloud camera, which could allow attackers to connect directly into video streams and manipulate the device’s firmware. Some of the affected cameras are located in Australia and New Zealand.

“The most serious issue with the D-Link DCS-2132L cloud camera is the unencrypted transmission of the video stream. It runs unencrypted over both connections – between the camera and the cloud and between the cloud and the client-side viewer app – providing fertile ground for man-in-the-middle (MitM) attacks and allowing intruders to spy on victims’ video streams,” explain the researchers.

The problem lies in the way the camera and viewer app communicate. They use a proxy server on port 2048, using a TCP tunnel. However only some of the traffic that runs through this tunnel is encrypted. 

This means sensitive information such as camera MAC addresses and IP addresses, video and audio streams, and camera information are sent without encryption. Attackers can easily find this unencrypted information and gain access to the device.

“D-Link DCS-2132L also had a few other minor, yet still concerning, issues. It can set port forwarding to itself on a home router, by using Universal Plug and Play (UPnP). This exposes its HTTP interface on port 80 to the internet and can happen without the user’s consent even with the ‘Enable UPnP presentation’ or ‘Enable UPnP port forwarding’ fields in the settings unchecked,” researchers write.

Researchers expressed concern about the ‘mydlink services’ web browser plugin in the camera, which allows live video playback through a browser. It also uses tunnelling to send and receive traffic. Attackers can also use this to change the camera’s firmware to a version that may be riddled with backdoors or malware.

“At the time of writing, issues with the “mydlink services” plug-in have been successfully fixed by the manufacturer,” they write.

“However, the malicious firmware replacement is still possible via vulnerabilities in the custom D-Link tunneling protocol described earlier.”

“At the time of writing the most recent version of firmware available for download was from November 2016 and did not address the vulnerabilities allowing malicious replacement of the camera’s firmware, as well as interception of audio and video streams.”

The D-Link DCS-2132L camera is still on the market. ESET advises owners to check that port 80 is not exposed to public internet.

“Reconsider the use of remote access if the camera is monitoring highly sensitive areas of their household or company,” researchers conclude.

What the future of fibre looks like in NZ
The Commerce Commission has released its emerging views paper on the rules, requirements and processes which will underpin the new regulatory regime for New Zealand’s fibre networks.
Gen Z confidence in the economy is on the decline
Businesses need to work hard to improve their reputations.
Why NZ businesses have less than two years to adopt digital before disruption hits
Research found that digital disruption is already impacting two-thirds of New Zealand organisations.
Infratil seeks clearance to acquire up to 50% stake in Vodafone NZ
The commission will give clearance to a proposed merger if they are satisfied that the merger is unlikely to have the effect of substantially lessening competition in a market.
Hands-on review: MiniTool Power Data Recovery Software
I came across a wee gem of advice when researching the world of data recovery. As soon as you get that sinking feeling and realise you’ve lost a file, stop using your computer.
Deepfakes the 'next wave of concern' - but can law really stomp it out?
Enforcing the existing law will be difficult enough, and it is not clear that any new law would be able to do better. Overseas attempts to draft law for deepfakes have been seriously criticised.
Acquia delivers open source framework for contextual commerce
The framework connects the Drupal open source web content management system with e-commerce platforms from Acquia partners.
You only get one chance to make a first impression
Regardless of where you come from one thing is for certain, businesses only get one chance to make a first impression.