Flaws in D-Link Cloud Camera Expose Video Streams


Vulnerabilities in the D-Link DCS-2132L cloud camera can be exploited by attackers to tap into video or audio streams, but could also potentially provide full access to the device. 

The main issue with the camera is the fact that no encryption is used when transmitting the video stream. Specifically, both the connection between the camera and the cloud and that between the cloud and the viewing application are unencrypted, thus potentially exposed to man-in-the-middle (MitM) attacks.

The viewer app and the camera communicate through a proxy server on port 2048, using a TCP tunnel based on a custom D-Link tunneling protocol, but only parts of the traffic are encrypted, ESET’s security researchers have discovered. 

In fact, sensitive details such as the requests for camera IP and MAC addresses, version information, video and audio streams, and extensive camera info are left exposed to attackers. The vulnerability resides in the request.c file, which handles HTTP requests to the camera. 

“All HTTP requests from 127.0.0.1 are elevated to the admin level, granting a potential attacker full access to the device,” ESET notes.

An attacker able to intercept the network traffic between the viewer app and the cloud or between the cloud and the camera can see the HTTP requests for the video and audio packets. This allows the attacker to reconstruct and replay the stream at any time, or obtain the current audio or video stream. 

ESET’s security researchers say they were able to obtain the streamed video content in two raw formats. 

Another major issue was found in the “mydlink services” web browser plug-in, which allows users to view video streams. The plug-in manages the creation of the TCP tunnel and the video playback, but is also responsible for forwarding requests for the video and audio data streams through a tunnel. 

The tunnel is available for the entire operating system, meaning that any application or user on the computer can access the camera’s web interface by a simple request (only during the live video streaming).

“No authorization is needed since the HTTP requests to the camera’s webserver are automatically elevated to admin level when accessing it from a localhost IP (viewer app’s localhost is tunneled to camera localhost),” the researchers explain. 

While D-Link has addressed issues with the plug-in, there are still a series of vulnerabilities in the custom D-Link tunneling protocol that provide an attacker with the possibility to replace the legitimate firmware on the device with a maliciously modified one. For that, they would need to replace the video stream GET request with a specific POST request to fetch a bogus firmware update.

The attack, ESET notes, is not trivial to perform and requires dividing the firmware file into blocks with specific headers and of a certain maximum length. However, because the authenticity of the firmware binary is not verified, an attacker could upload one containing cryptocurrency miners, backdoors, spying software, botnets or other Trojans, or they could deliberately “brick” the device.

Other issues the researchers discovered include the fact that D-Link DCS-2132L can set port forwarding to itself on a home router, via the Universal Plug and Play (UPnP) protocol. Thus, it exposes its HTTP interface on port 80 to the Internet without the user even knowing about it. The issue can be mitigated by disabling UPnP. 

“Why the camera uses such a hazardous setting is unclear. Currently close to 1,600 D-Link DCS-2132L cameras with exposed port 80 can be found via Shodan, most of them in the United States, Russia and Australia,” the researchers say. 

ESET says it reported the issues to D-Link in August 2018, including vulnerable unencrypted cloud communication, insufficient cloud message authentication and unencrypted LAN communication, but that only some of the flaws have been mitigated, such as the “mydlink services” plug-in, which is now properly secured. The most recent firmware available for the device is dated November 2016. 

“D-Link DCS-2132L camera is still available on the market. Current owners of the device are advised to check that port 80 isn’t exposed to the public internet and reconsider the use of remote access if the camera is monitoring highly sensitive areas of their household or company,” ESET concludes. 

Related: Critical Vulnerabilities Allow Takeover of D-Link Routers

Related: D-Link Patches Code Execution, XSS Flaws in Management Tool

Copyright 2010 Respective Author at Infosec Island via Infosec Island Latest Articles "http://bit.ly/2H8xnxD"

Comments

Post a Comment

Popular posts from this blog

Evernote cuts staff as user growth stalls

Image
Note-taking app Evernote has fallen on hard times of late, culminating in its latest spate of job cuts impacting 15 percent of its workforce (54 employees). CEO Chris O' Neil -- an ex-Googler who took the reins in 2015 -- announced the firings at an all-hands meeting earlier today, reports TechCrunch . In a message on the Evernote blog , O' Neill admitted he'd set "incredibly aggressive goals" for the company in 2018. He continued: "Going forward, we are streamlining certain functions, like sales, so we can continue to speed up and scale others, like product development and engineering." The layoffs follow an exec exodus just weeks ago and the company's recent brand refresh (complete with a refined logo and wordmark). But critics are more concerned about its product, especially the free tier, which they claim lacks the perks to
Read more

The best air conditioner

Image
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic
Read more

We won't see a 'universal' vape oil cartridge anytime soon

Image
Pre-loaded cartridges of cannabis concentrate are currently among the most popular means of consumption, and for good reason. They're discreet to use and easy to handle, a far cry from the dark days of 2016 when we had to dribble hash oil or load wax into narrow-mouthed vape pens by hand. But, frustratingly, an ever increasing number of oil cartridge manufacturers employ one-off design standards so that their products won't work with those of their competitors, thereby locking customers into proprietary ecosystems. We've already seen this with nicotine vaporizers -- which has a seen a massive rise in "pod systems" in the last few years, each outfitted with a unique canister and battery built to be incompatible with those of their competition. Is it too late for the burgeoning cannabis industry to set a universal standard for their product designs?
Read more