Vulnerabilities / Threats

11:51 AM

D-Link Camera Security Flaw: Upgrade Now

16 vulnerable D-Link IP camera models have password issue that provides a back door, so attackers could intercept live video feed. Get the firmware update.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Multiple models of Internet-connected D-Link cameras have vulnerabilities that could be remotely exploited by attackers to bypass authentication and gain direct access to live video feeds.

That warning was sounded Monday by Core Security, which released a security bulletin detailing five vulnerabilities in the firmware used by a variety of D-Link Internet protocol (IP) cameras.

D-Link released updated firmware Thursday to address the vulnerabilities. At least 16 different D-Link IP cameras, including one Tesco-branded model, are susceptible to one or more of the vulnerabilities.

[ Afraid your Twitter account will be hacked? Read Twitter Trouble: 9 Social Media Security Tips. ]

According to Core Security, the identified vulnerabilities include an operating system command injection flaw that "allows an unauthenticated remote attacker to execute arbitrary commands through the camera's web interface," as well as two authentication bypasses, one of which would allow an attacker to access a device's video stream via HTTP, and another that attackers could use to access the Real Time Streaming Protocol (RTSP) video stream. Another bug would allow attackers to access a live, black-and-white ASCII video stream -- designed for low-bandwidth connections -- built using the luminance (light levels) seen by the device. As an example, Core Security included an ASCII video still of a coffee pot in its Full Disclosure mailing list.

Finally, all 16 vulnerable D-Link models contain a hardcoded password -- "?*" -- that provides a back door to the devices, which would enable attackers to access their live RTSP video stream.

Paul Ducklin, head of technology for Sophos in the Asia Pacific region, responded to the detailed security flaws with four words: "What were they thinking?"

"Hardwired passwords were a design blunder back in the 1970s; in the 2010s, they are simply unacceptable, so never succumb to the temptation to include them in your code," he said in a blog post. "And never create backdoors by setting up emergency logins with well-known username/password pairs 'just in case,' because that amounts to the same thing, though at least it is a blunder that can be fixed without a code update."

Also Monday, Core Security released a security bulletin identifying multiple vulnerabilities in at least two different models of Vivotek IP cameras. "Several Vivotek cameras store wireless keys and third-party credentials in clear text allowing a remote attacker to obtain sensitive information which might be valuable to perform further attacks," said Core Security. This sensitive information includes FTP and shared folder access credentials, as well as wireless access point keys, among other credentials. Other vulnerabilities identified could be used to trigger a remote buffer overflow and execute arbitrary code on a device or access a device's live video stream via RTSP without having to first authenticate.

Core Security said that after six failed attempts to alert Vivotek to the vulnerabilities -- the first time on March 6, and the last on April 24 -- it had received "no official answer from Vivotek." Accordingly, Core Security released its security bulletin, which includes full vulnerability details, to warn end users about the flaws in Vivotek's firmware.

Vivotek didn't immediately respond to a request for comment emailed to its headquarters in Taiwan, asking if the company was aware of the vulnerability report, if it could confirm the flaws, and if it was working to create updated firmware and notify affected customers.

The news of the D-Link and Vivotek vulnerabilities follows warnings released earlier this month that firmware flaws in some Foscam IP cameras would allow an attacker to remotely access the devices without having to authenticate, as well as to steal the authentication credentials stored on the devices.

Although Foscam has released updated firmware to address the vulnerabilities, security firm Qualys, which uncovered the flaws, reported earlier this month that 99% of vulnerable devices were still using an old version of the firmware. In part, that's because many Internet-connected devices -- and especially cameras used for surveillance purposes -- tend to be plugged in and left to run. "Security patches for hardware devices like routers, printers and cameras are often overlooked," said Ducklin, despite the fact that many of these devices tend to have built-in Web servers.

What's the risk? "Always-on devices like routers and cameras are typically part of your security infrastructure, so a compromise on one of them could facilitate the compromise of your whole network," he said, referring to the possibility that an attacker could load malicious code onto a vulnerable device, then use the device to distribute malware to other network-connected or Internet-connected devices. From a monitoring standpoint, meanwhile, businesses face a physical security threat if attackers are able to access surveillance cameras that monitor sensitive facilities, or if unscrupulous competitors access documents stored by Internet-connected multi-function printers.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Faye Kane, homeless brain
Faye Kane, homeless brain,
User Rank: Apprentice
5/26/2013 | 1:07:11 AM
re: D-Link Camera Security Flaw: Upgrade Now
If you don't want to broadcast the default PW, then don't. But don't lie to people. The default PW for d-link is actually

-faye kane
sexiest astrophysicist you'll ever see naked
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
The Role of KPIs in Incident Response
John Moran, Senior Product Manager, DFLabs,  4/18/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.