Vulnerabilities / Threats
4/30/2013
11:51 AM
50%
50%

D-Link Camera Security Flaw: Upgrade Now

16 vulnerable D-Link IP camera models have password issue that provides a back door, so attackers could intercept live video feed. Get the firmware update.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Multiple models of Internet-connected D-Link cameras have vulnerabilities that could be remotely exploited by attackers to bypass authentication and gain direct access to live video feeds.

That warning was sounded Monday by Core Security, which released a security bulletin detailing five vulnerabilities in the firmware used by a variety of D-Link Internet protocol (IP) cameras.

D-Link released updated firmware Thursday to address the vulnerabilities. At least 16 different D-Link IP cameras, including one Tesco-branded model, are susceptible to one or more of the vulnerabilities.

[ Afraid your Twitter account will be hacked? Read Twitter Trouble: 9 Social Media Security Tips. ]

According to Core Security, the identified vulnerabilities include an operating system command injection flaw that "allows an unauthenticated remote attacker to execute arbitrary commands through the camera's web interface," as well as two authentication bypasses, one of which would allow an attacker to access a device's video stream via HTTP, and another that attackers could use to access the Real Time Streaming Protocol (RTSP) video stream. Another bug would allow attackers to access a live, black-and-white ASCII video stream -- designed for low-bandwidth connections -- built using the luminance (light levels) seen by the device. As an example, Core Security included an ASCII video still of a coffee pot in its Full Disclosure mailing list.

Finally, all 16 vulnerable D-Link models contain a hardcoded password -- "?*" -- that provides a back door to the devices, which would enable attackers to access their live RTSP video stream.

Paul Ducklin, head of technology for Sophos in the Asia Pacific region, responded to the detailed security flaws with four words: "What were they thinking?"

"Hardwired passwords were a design blunder back in the 1970s; in the 2010s, they are simply unacceptable, so never succumb to the temptation to include them in your code," he said in a blog post. "And never create backdoors by setting up emergency logins with well-known username/password pairs 'just in case,' because that amounts to the same thing, though at least it is a blunder that can be fixed without a code update."

Also Monday, Core Security released a security bulletin identifying multiple vulnerabilities in at least two different models of Vivotek IP cameras. "Several Vivotek cameras store wireless keys and third-party credentials in clear text allowing a remote attacker to obtain sensitive information which might be valuable to perform further attacks," said Core Security. This sensitive information includes FTP and shared folder access credentials, as well as wireless access point keys, among other credentials. Other vulnerabilities identified could be used to trigger a remote buffer overflow and execute arbitrary code on a device or access a device's live video stream via RTSP without having to first authenticate.

Core Security said that after six failed attempts to alert Vivotek to the vulnerabilities -- the first time on March 6, and the last on April 24 -- it had received "no official answer from Vivotek." Accordingly, Core Security released its security bulletin, which includes full vulnerability details, to warn end users about the flaws in Vivotek's firmware.

Vivotek didn't immediately respond to a request for comment emailed to its headquarters in Taiwan, asking if the company was aware of the vulnerability report, if it could confirm the flaws, and if it was working to create updated firmware and notify affected customers.

The news of the D-Link and Vivotek vulnerabilities follows warnings released earlier this month that firmware flaws in some Foscam IP cameras would allow an attacker to remotely access the devices without having to authenticate, as well as to steal the authentication credentials stored on the devices.

Although Foscam has released updated firmware to address the vulnerabilities, security firm Qualys, which uncovered the flaws, reported earlier this month that 99% of vulnerable devices were still using an old version of the firmware. In part, that's because many Internet-connected devices -- and especially cameras used for surveillance purposes -- tend to be plugged in and left to run. "Security patches for hardware devices like routers, printers and cameras are often overlooked," said Ducklin, despite the fact that many of these devices tend to have built-in Web servers.

What's the risk? "Always-on devices like routers and cameras are typically part of your security infrastructure, so a compromise on one of them could facilitate the compromise of your whole network," he said, referring to the possibility that an attacker could load malicious code onto a vulnerable device, then use the device to distribute malware to other network-connected or Internet-connected devices. From a monitoring standpoint, meanwhile, businesses face a physical security threat if attackers are able to access surveillance cameras that monitor sensitive facilities, or if unscrupulous competitors access documents stored by Internet-connected multi-function printers.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Faye Kane, homeless brain
50%
50%
Faye Kane, homeless brain,
User Rank: Apprentice
5/26/2013 | 1:07:11 AM
re: D-Link Camera Security Flaw: Upgrade Now
==--
If you don't want to broadcast the default PW, then don't. But don't lie to people. The default PW for d-link is actually
:?*

-faye kane
sexiest astrophysicist you'll ever see naked
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.