Vulnerabilities / Threats
4/30/2013
11:51 AM
50%
50%

D-Link Camera Security Flaw: Upgrade Now

16 vulnerable D-Link IP camera models have password issue that provides a back door, so attackers could intercept live video feed. Get the firmware update.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Multiple models of Internet-connected D-Link cameras have vulnerabilities that could be remotely exploited by attackers to bypass authentication and gain direct access to live video feeds.

That warning was sounded Monday by Core Security, which released a security bulletin detailing five vulnerabilities in the firmware used by a variety of D-Link Internet protocol (IP) cameras.

D-Link released updated firmware Thursday to address the vulnerabilities. At least 16 different D-Link IP cameras, including one Tesco-branded model, are susceptible to one or more of the vulnerabilities.

[ Afraid your Twitter account will be hacked? Read Twitter Trouble: 9 Social Media Security Tips. ]

According to Core Security, the identified vulnerabilities include an operating system command injection flaw that "allows an unauthenticated remote attacker to execute arbitrary commands through the camera's web interface," as well as two authentication bypasses, one of which would allow an attacker to access a device's video stream via HTTP, and another that attackers could use to access the Real Time Streaming Protocol (RTSP) video stream. Another bug would allow attackers to access a live, black-and-white ASCII video stream -- designed for low-bandwidth connections -- built using the luminance (light levels) seen by the device. As an example, Core Security included an ASCII video still of a coffee pot in its Full Disclosure mailing list.

Finally, all 16 vulnerable D-Link models contain a hardcoded password -- "?*" -- that provides a back door to the devices, which would enable attackers to access their live RTSP video stream.

Paul Ducklin, head of technology for Sophos in the Asia Pacific region, responded to the detailed security flaws with four words: "What were they thinking?"

"Hardwired passwords were a design blunder back in the 1970s; in the 2010s, they are simply unacceptable, so never succumb to the temptation to include them in your code," he said in a blog post. "And never create backdoors by setting up emergency logins with well-known username/password pairs 'just in case,' because that amounts to the same thing, though at least it is a blunder that can be fixed without a code update."

Also Monday, Core Security released a security bulletin identifying multiple vulnerabilities in at least two different models of Vivotek IP cameras. "Several Vivotek cameras store wireless keys and third-party credentials in clear text allowing a remote attacker to obtain sensitive information which might be valuable to perform further attacks," said Core Security. This sensitive information includes FTP and shared folder access credentials, as well as wireless access point keys, among other credentials. Other vulnerabilities identified could be used to trigger a remote buffer overflow and execute arbitrary code on a device or access a device's live video stream via RTSP without having to first authenticate.

Core Security said that after six failed attempts to alert Vivotek to the vulnerabilities -- the first time on March 6, and the last on April 24 -- it had received "no official answer from Vivotek." Accordingly, Core Security released its security bulletin, which includes full vulnerability details, to warn end users about the flaws in Vivotek's firmware.

Vivotek didn't immediately respond to a request for comment emailed to its headquarters in Taiwan, asking if the company was aware of the vulnerability report, if it could confirm the flaws, and if it was working to create updated firmware and notify affected customers.

The news of the D-Link and Vivotek vulnerabilities follows warnings released earlier this month that firmware flaws in some Foscam IP cameras would allow an attacker to remotely access the devices without having to authenticate, as well as to steal the authentication credentials stored on the devices.

Although Foscam has released updated firmware to address the vulnerabilities, security firm Qualys, which uncovered the flaws, reported earlier this month that 99% of vulnerable devices were still using an old version of the firmware. In part, that's because many Internet-connected devices -- and especially cameras used for surveillance purposes -- tend to be plugged in and left to run. "Security patches for hardware devices like routers, printers and cameras are often overlooked," said Ducklin, despite the fact that many of these devices tend to have built-in Web servers.

What's the risk? "Always-on devices like routers and cameras are typically part of your security infrastructure, so a compromise on one of them could facilitate the compromise of your whole network," he said, referring to the possibility that an attacker could load malicious code onto a vulnerable device, then use the device to distribute malware to other network-connected or Internet-connected devices. From a monitoring standpoint, meanwhile, businesses face a physical security threat if attackers are able to access surveillance cameras that monitor sensitive facilities, or if unscrupulous competitors access documents stored by Internet-connected multi-function printers.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Faye Kane, homeless brain
50%
50%
Faye Kane, homeless brain,
User Rank: Apprentice
5/26/2013 | 1:07:11 AM
re: D-Link Camera Security Flaw: Upgrade Now
==--
If you don't want to broadcast the default PW, then don't. But don't lie to people. The default PW for d-link is actually
:?*

-faye kane
sexiest astrophysicist you'll ever see naked
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.