D-Link has only partially patched critical flaws affecting its consumer WiFi camera, which allow hackers to intercept and view recorded video. They also allow attackers to manipulate the device’s firmware, according to security researchers. The camera in question is D-Link’s DCS-2132L cloud camera, popular with consumers and sold at big-box retailers and online.
The most serious of the vulnerabilities is one that creates conditions that are optimum for a man-in-the-middle (MitM) attack, according to ESET researchers who discovered the bugs late last year. The problem is tied to the lack of encryption in the transmission of the video stream between the camera and D-Link’s cloud service, and also from the cloud to the user’s client-side viewing app, researchers explained, in a Thursday report outlining the flaw..
“The viewer app and the camera communicate via a proxy server on port 2048, using a TCP tunnel based on a custom D-Link tunneling protocol,” wrote ESET researchers Milan Fránik and Miloš Čermák. “Unfortunately, only part of the traffic running through these tunnels is encrypted, leaving some of the most sensitive contents – such as the requests for camera IP and MAC addresses, version information, video and audio streams, and extensive camera info – without encryption.”
The bug is further traced to D-Link’s use of customized open-source Boa web server source code. Boa is a small-footprint web server software, typically used with embedded applications — and it was discontinued in 2005. ESET said that because the D-Link Boa web server handles HTTP requests to the camera sans encryption, “all HTTP requests from 127.0.0.1 are elevated to the admin level, granting a potential attacker full access to the device.”
A MitM attacker can intercept the network traffic and acquire the data stream of the TCP connection on the server (cloud) port 2048 — from there, he or she can see the HTTP requests for the video and audio packets. An attacker could then capture the streamed video content for playback. “[Streams] can then be reconstructed and replayed by the attacker, at any time, to obtain the current audio or video stream from that camera,” researcher said.
Threatpost reached out to D-Link for comment, but as of press time the company had not replied back.
A Second Plugin Bug Allows Rogue Firmware Updates
A second vulnerability was identified by ESET that relates to D-Link’s “MyDlink Services” web browser plugin, which allows camera owners a way to view video content without using the app. With this bug, the flaw only manifests when a user is live-streaming content to the plugin.
“The web browser plugin manages the creation of the TCP tunnel and the live video playback in the client’s browser, but is also responsible for forwarding requests for the video and audio data streams through a tunnel, which listens on a dynamically generated port on localhost,” the researchers said.
During that window of opportunity, a local unauthenticated user can access the camera’s web interface simply by opening the hxxp://127.0.0.1:RANDOM_PORT/ address. “The tunnel is made available for the whole operating system, so any application or user on the client’s computer can simply access the camera’s web interface by a simple request,” they said.
This allows an attackers to create a non-trivial attack where they can replace the legitimate firmware with their own rigged or back-doored version, researchers said.
Port 80 Exposure, With No User Consent
Additional bugs were identified by ESET, including one in the device’s Universal Plug and Play that opens port 80 on home router, exposing the HTTP interface to potential hackers who are scanning for the open port. A ESET scan of DCS-2132L cameras with port 80 open on April 10 indicated 1,600 vulnerable devices. Over 30 percent of those cameras were located in the United States, according to the Shodan scan.
On August 22, ESET disclosed the vulnerabilities to D-Link.
D-Link has addressed some of the issues — however, the fixes aren’t comprehensive.
“Since [ESET first reported the bugs], some of the vulnerabilities have been mitigated,” researchers stated. “According to our tests, the ‘MyDlink services’ plug-in is now properly secured – although other issues persist. At the time of writing, the most recent version of firmware available for download was from November 2016 and did not address the vulnerabilities allowing malicious replacement of the camera’s firmware, as well as interception of audio and video streams.”
ESET advises owners to ensure port 80 on their router isn’t exposed to the public internet and said that users should “reconsider the use of remote access if the camera is monitoring highly sensitive areas of their household or company.”
ESET issued a patch on August 28 for its myDlink plugin. Public disclosure of the bugs was Thursday.