Security researchers at ESET have discovered serious security holes in the D-Link DCS-2132L cloud camera, which could allow attackers to connect directly into video streams and manipulate the device's firmware. Some of the affected cameras are located in Australia and New Zealand.
“The most serious issue with the D-Link DCS-2132L cloud camera is the unencrypted transmission of the video stream. It runs unencrypted over both connections – between the camera and the cloud and between the cloud and the client-side viewer app – providing fertile ground for man-in-the-middle (MitM) attacks and allowing intruders to spy on victims' video streams,” explain the researchers.
The problem lies in the way the camera and viewer app communicate. They use a proxy server on port 2048, using a TCP tunnel. However only some of the traffic that runs through this tunnel is encrypted.
This means sensitive information such as camera MAC addresses and IP addresses, video and audio streams, and camera information are sent without encryption. Attackers can easily find this unencrypted information and gain access to the device.
“D-Link DCS-2132L also had a few other minor, yet still concerning, issues. It can set port forwarding to itself on a home router, by using Universal Plug and Play (UPnP). This exposes its HTTP interface on port 80 to the internet and can happen without the user's consent even with the ‘Enable UPnP presentation' or ‘Enable UPnP port forwarding' fields in the settings unchecked,” researchers write.
Researchers expressed concern about the ‘mydlink services' web browser plugin in the camera, which allows live video playback through a browser. It also uses tunnelling to send and receive traffic. Attackers can also use this to change the camera's firmware to a version that may be riddled with backdoors or malware.
“At the time of writing, issues with the “mydlink services” plug-in have been successfully fixed by the manufacturer,” they write.
“However, the malicious firmware replacement is still possible via vulnerabilities in the custom D-Link tunneling protocol described earlier.
“At the time of writing the most recent version of firmware available for download was from November 2016 and did not address the vulnerabilities allowing malicious replacement of the camera's firmware, as well as interception of audio and video streams.
The D-Link DCS-2132L camera is still on the market. ESET advises owners to check that port 80 is not exposed to public internet.
“Reconsider the use of remote access if the camera is monitoring highly sensitive areas of their household or company,” researchers conclude.