Security Market Segment LS
Sunday, 05 May 2019 06:38

D-Link camera flaw lets attackers tap into video stream

D-Link camera flaw lets attackers tap into video stream Courtesy: D-Link

Researchers at Slovakian security firm ESET claim to have discovered a number of flaws in the D-Link DCS-2132L cloud camera which can allow attackers to tap into the video stream and also manipulate the firmware of the device. A search for devices which had port 80 open on 10 April showed that there were about 1600, mostly in the US, Russia and Australia.

In a blog post, researchers Milan Fránik and Miloš Čermák said the D-Link DCS-2132L cloud camera was a "smart" device which provided access to what it was streaming with a few clicks.

The most serious issue was that the camera transmitted video unencrypted between both the camera and the cloud, and between the camera and the client-side app used for viewing.

This would allow man-in-the-middle attacks and also allowed intruders to spy on victims' video streams, it was claimed.

According to the researchers, the user's viewer app and the camera communicated through a proxy server on port 2048, using a TCP tunnel which was based on a proprietary D-Link tunnelling protocol.

"Unfortunately, only part of the traffic running through these tunnels is encrypted, leaving some of the most sensitive contents – such as the requests for camera IP and MAC addresses, version information, video and audio streams, and extensive camera info – without encryption," the company said.

Another serious issue claimed was that the "mydlink services" browser plugin — which managed the creation of the TCP tunnel, the live video playback at the client end, forwarding of requests for the video and audio data streams through a tunnel, which listened on a dynamically generated port on localhost — was available to the whole operating system.

Given this, all that a user had to do to access the stream was to key in hxxp:// while video was being live-streamed.

dlink shodan

Fránik and Čermák said the issues with this plugin had been fixed by the manufacturer.

"However, the malicious firmware replacement is still possible via vulnerabilities in the custom D-Link tunnelling protocol," they wrote. "To achieve this, an attacker needs to modify the traffic in the tunnel by replacing the video stream GET request with a specific POST request that uploads and runs a bogus firmware 'update'."

ESET said it had informed D-Link about these, and a number of other minor issues, on 22 August 2018. The issues with the plugin was fixed on 28 August.

Screenshot: courtesy ESET


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments