Vulnerabilities / Threats
4/30/2013
11:51 AM
Connect Directly
RSS
E-Mail
50%
50%

D-Link Camera Security Flaw: Upgrade Now

16 vulnerable D-Link IP camera models have password issue that provides a back door, so attackers could intercept live video feed. Get the firmware update.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Multiple models of Internet-connected D-Link cameras have vulnerabilities that could be remotely exploited by attackers to bypass authentication and gain direct access to live video feeds.

That warning was sounded Monday by Core Security, which released a security bulletin detailing five vulnerabilities in the firmware used by a variety of D-Link Internet protocol (IP) cameras.

D-Link released updated firmware Thursday to address the vulnerabilities. At least 16 different D-Link IP cameras, including one Tesco-branded model, are susceptible to one or more of the vulnerabilities.

[ Afraid your Twitter account will be hacked? Read Twitter Trouble: 9 Social Media Security Tips. ]

According to Core Security, the identified vulnerabilities include an operating system command injection flaw that "allows an unauthenticated remote attacker to execute arbitrary commands through the camera's web interface," as well as two authentication bypasses, one of which would allow an attacker to access a device's video stream via HTTP, and another that attackers could use to access the Real Time Streaming Protocol (RTSP) video stream. Another bug would allow attackers to access a live, black-and-white ASCII video stream -- designed for low-bandwidth connections -- built using the luminance (light levels) seen by the device. As an example, Core Security included an ASCII video still of a coffee pot in its Full Disclosure mailing list.

Finally, all 16 vulnerable D-Link models contain a hardcoded password -- "?*" -- that provides a back door to the devices, which would enable attackers to access their live RTSP video stream.

Paul Ducklin, head of technology for Sophos in the Asia Pacific region, responded to the detailed security flaws with four words: "What were they thinking?"

"Hardwired passwords were a design blunder back in the 1970s; in the 2010s, they are simply unacceptable, so never succumb to the temptation to include them in your code," he said in a blog post. "And never create backdoors by setting up emergency logins with well-known username/password pairs 'just in case,' because that amounts to the same thing, though at least it is a blunder that can be fixed without a code update."

Also Monday, Core Security released a security bulletin identifying multiple vulnerabilities in at least two different models of Vivotek IP cameras. "Several Vivotek cameras store wireless keys and third-party credentials in clear text allowing a remote attacker to obtain sensitive information which might be valuable to perform further attacks," said Core Security. This sensitive information includes FTP and shared folder access credentials, as well as wireless access point keys, among other credentials. Other vulnerabilities identified could be used to trigger a remote buffer overflow and execute arbitrary code on a device or access a device's live video stream via RTSP without having to first authenticate.

Core Security said that after six failed attempts to alert Vivotek to the vulnerabilities -- the first time on March 6, and the last on April 24 -- it had received "no official answer from Vivotek." Accordingly, Core Security released its security bulletin, which includes full vulnerability details, to warn end users about the flaws in Vivotek's firmware.

Vivotek didn't immediately respond to a request for comment emailed to its headquarters in Taiwan, asking if the company was aware of the vulnerability report, if it could confirm the flaws, and if it was working to create updated firmware and notify affected customers.

The news of the D-Link and Vivotek vulnerabilities follows warnings released earlier this month that firmware flaws in some Foscam IP cameras would allow an attacker to remotely access the devices without having to authenticate, as well as to steal the authentication credentials stored on the devices.

Although Foscam has released updated firmware to address the vulnerabilities, security firm Qualys, which uncovered the flaws, reported earlier this month that 99% of vulnerable devices were still using an old version of the firmware. In part, that's because many Internet-connected devices -- and especially cameras used for surveillance purposes -- tend to be plugged in and left to run. "Security patches for hardware devices like routers, printers and cameras are often overlooked," said Ducklin, despite the fact that many of these devices tend to have built-in Web servers.

What's the risk? "Always-on devices like routers and cameras are typically part of your security infrastructure, so a compromise on one of them could facilitate the compromise of your whole network," he said, referring to the possibility that an attacker could load malicious code onto a vulnerable device, then use the device to distribute malware to other network-connected or Internet-connected devices. From a monitoring standpoint, meanwhile, businesses face a physical security threat if attackers are able to access surveillance cameras that monitor sensitive facilities, or if unscrupulous competitors access documents stored by Internet-connected multi-function printers.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Faye Kane, homeless brain
50%
50%
Faye Kane, homeless brain,
User Rank: Apprentice
5/26/2013 | 1:07:11 AM
re: D-Link Camera Security Flaw: Upgrade Now
==--
If you don't want to broadcast the default PW, then don't. But don't lie to people. The default PW for d-link is actually
:?*

-faye kane
sexiest astrophysicist you'll ever see naked
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2014-2640
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-2641
Published: 2014-10-01
Cross-site request forgery (CSRF) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.