D-Link firmware flaws could allow IP video stream spying

Core Security researchers found hard-coded credentials and other flaws in firmware used in a variety of IP video cameras

If you run a bank and use an IP video camera from D-Link, you may want to pay attention to this.

A number of IP-based surveillance video cameras made by D-Link have firmware vulnerabilities that could allow an attacker to intercept the video stream, according to security researchers.

Core Security, a company based in Boston that specializes in vulnerability detection and research, published on Monday details of five vulnerabilities in D-Link's firmware, which is wrapped into at least 14 of its products.

D-Link makes a variety of Internet-connected cameras that it sells to businesses and consumers. The cameras can record images and video and be controlled through Web-based control panels. Live feeds can be viewed on some mobile devices.

One of the vulnerable models, the DCS-5605/DCS-5635, has a motion-detection feature, which D-Link suggests in its marketing materials would be good for banks, hospitals and offices.

Core Security's researchers found it was possible to access without authentication a live video stream via the RTSP (real time streaming protocol) as well as an ASCII output of a video stream in the affected models. RTSP is an application-level protocol for transferring real-time data, according to the Internet Engineering Task Force.

The researchers also found a problem with the web-based control panel that would allow a hacker to input arbitrary commands. In another error, D-Link hard-coded login credentials into the firmware which "effectively serves as a backdoor, which allows remote attackers to access the RTSP video stream," Core Security said in its advisory.

The technical details are described in a post in the Full Disclosure section of Seclists.org, along with a list of the known affected products, some of which have been phased out by D-Link.

Core Security notified D-Link of the problem on March 29, according to a log of the two companies' interaction included in the posting on Full Disclosure. The log, written by Core, contains interesting details of how the two companies corresponded and apparently had a couple of disagreements.

According to Core, D-Link said it had an "unpublished bounty program for security vendors." Many companies have bug programs that reward researchers with cash or other incentives for finding security issues in their products and informing them before publicly releasing the details.

Around March 20, D-Link requested that Core Security sign a "memo of understanding" as part of the program, which Core rejected. The terms of the memo were not described. Core told D-Link "that receiving money from vendors may bias the view of the report."

The two companies had another minor run-in. D-Link told Core that it would release the patches and guidance to fix the issues on the D-Link Support Forum. D-Link would then wait a month before making a public announcement.

Core Security didn't like that suggestion. Last Wednesday, Core asked D-Link "for a clarification regarding the D-Link release date and notifies that releasing fixes to a privileged closed group and/or a closed forum or list is unacceptable."

D-Link's forum does have a login field, but it appears that anyone can view many of the posts without registering. D-Link came back a day later and said that patches are ready and would be posted onto its web site "over the next few days," Core wrote.

D-Link did not immediately respond to requests for comment. It was unclear from the company's support forum if the firmware updates had been publicly posted yet.

Core Security credited its researchers Francisco Falcon, Nahuel Riva, Martin Rocha, Juan Cotta, Pablo Santamaria and Fernando Miranda with finding the problems.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags Core Securityconsumer electronicssecurityD-LinkExploits / vulnerabilities

More about DCSD-Link AustraliaInternet Engineering Task Force

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place