Story image

D-Link security cams vulnerable to spying

06 May 2019

Security researchers at ESET have discovered serious security holes in the D-Link DCS-2132L cloud camera, which could allow attackers to connect directly into video streams and manipulate the device’s firmware. Some of the affected cameras are located in Australia and New Zealand.

“The most serious issue with the D-Link DCS-2132L cloud camera is the unencrypted transmission of the video stream. It runs unencrypted over both connections – between the camera and the cloud and between the cloud and the client-side viewer app – providing fertile ground for man-in-the-middle (MitM) attacks and allowing intruders to spy on victims’ video streams,” explain the researchers.

The problem lies in the way the camera and viewer app communicate. They use a proxy server on port 2048, using a TCP tunnel. However only some of the traffic that runs through this tunnel is encrypted. 

This means sensitive information such as camera MAC addresses and IP addresses, video and audio streams, and camera information are sent without encryption. Attackers can easily find this unencrypted information and gain access to the device.

“D-Link DCS-2132L also had a few other minor, yet still concerning, issues. It can set port forwarding to itself on a home router, by using Universal Plug and Play (UPnP). This exposes its HTTP interface on port 80 to the internet and can happen without the user’s consent even with the ‘Enable UPnP presentation’ or ‘Enable UPnP port forwarding’ fields in the settings unchecked,” researchers write.

Researchers expressed concern about the ‘mydlink services’ web browser plugin in the camera, which allows live video playback through a browser. It also uses tunnelling to send and receive traffic. Attackers can also use this to change the camera’s firmware to a version that may be riddled with backdoors or malware.

“At the time of writing, issues with the “mydlink services” plug-in have been successfully fixed by the manufacturer,” they write.

“However, the malicious firmware replacement is still possible via vulnerabilities in the custom D-Link tunneling protocol described earlier.”

“At the time of writing the most recent version of firmware available for download was from November 2016 and did not address the vulnerabilities allowing malicious replacement of the camera’s firmware, as well as interception of audio and video streams.”

The D-Link DCS-2132L camera is still on the market. ESET advises owners to check that port 80 is not exposed to public internet.

“Reconsider the use of remote access if the camera is monitoring highly sensitive areas of their household or company,” researchers conclude.

Sony and Microsoft to explore strategic partnership
“Our partnership brings the power of Azure and Azure AI to Sony."
Hands-on PSVR preview: Blood & Truth
PlayStation VR fans who picked up a copy of VR Worlds with their headset will have had a taster of SIE London Studio’s Blood & Truth.
Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Govt & Canterbury Uni pour $7m into gaming research
The funding will be used to boost the University of Canterbury’s Applied Immersive Gaming Initiative, which will research and accelerate public use of immersing gaming applications.
This Feilding school has just won an international robotics award (again!)
“In typical Kiwi fashion, our students think laterally to solve challenges, build prototypes, test and retest until they have a working model. All on their own time and all with their own ideas."
New educational game to boost construction skills shortage
The game has been designed to give future business people and construction workers a taste of what it’s like to build their own company.
DJI launches Osmo Action - a handheld action cam with a difference
Hold on to your skis, snowboards, or your camera-mounted stunt cars, because DJI has launched Osmo Action camera.
Study finds NZ mobile services in good stead due to competition
The study found indicators such as pricing, coverage and choice of mobile services were trending in a positive direction for consumers.