D-Link Cloud Camera Flaw gives access to video streams
D-Link has only partially patched critical flaws affecting its consumer WiFi camera, which allow hackers to intercept and view recorded video. They also allow attackers to manipulate the device’s firmware, according to security researchers. The camera in is D-Link’s DCS-2132L cloud camera, popular with consumers and sold at big-box retailers and online.
The most serious of the vulnerabilities is one that can allow for a man-in-the-middle ( MitM) attack, according to ESET researchers who discovered the bugs late last year. The problem comes from the lack of encryption in the transmission of the video stream between the camera and D-Link's cloud service, and also from the cloud to the user's client side viewing app. The viewer app and the camera communicate via a proxy server on port 2048, using a TCP tunnel based on a custom D-Link tunneling protocol. Unfortunately, only part of the traffic running through these tunnels is encrypted, leaving some of the most sensitive contents such as the requests for camera IP and MAC addresses, version information, video and audio streams, and extensive camera info without encryption.
The bug is traced to D-Link's use of customized open-source Boa web server source code. Boa is a small footprint web server software, typically used with embedded applications and it was discontinued in 2005. Because the D-Link Boa web server handles HTTP requests to the camera without encryption, all HTTP requests from 127.0.0.1 are elevated to the admin level, granting a hacker full access to the device.
A MitM attacker can intercept the network traffic and acquire the data stream of the TCP connection on the server port 2048. From there, they can see the HTTP requests for the video and audio packets. A hacker could then capture the streamed video content for playback. Streams can then be reconstructed and replayed by the hacker, at any time, to obtain the current audio or video stream from that camera.
Another vulnerability identified relates to D-Link's MyDlink Services web browser plugin, which allows camera owners a way to view video content without using the app. With this bug, the flaw only occurs when a user is live-streaming content to the plugin. The web browser plugin manages the creation of the TCP tunnel and the live video playback in the client's browser, but is also responsible for forwarding requests for the video and audio data streams through a tunnel, which listens on a dynamically generated port on localhost. During this window of opportunity, a local hacker can access the camera's web interface by opening the hxxp://127.0.0.1:RANDOM_PORT/ address. The tunnel is made available for the whole operating system, so any application or user on the client's computer can access the camera's web interface by a simple request. This can allow a hacker to create a hack where they can replace the legitimate firmware with their own rigged or back-doored version.
D-Link has fixed some of the issues but the fixes aren't complete. Some of the vulnerabilities have been fixed. According to DLink, the MyDlink services plug-in is now secured. The most recent version of firmware available for download was from November 2016 and doesn't fix the vulnerabilities allowing malicious replacement of the camera's firmware, as well as interception of audio and video streams. Owners should ensure port 80 on their router isn't exposed to the public internet and users should reconsider the use of remote access if the camera is monitoring highly sensitive areas of their household or company.