D-Link Cloud Camera Flaw Gives Hackers Access to Video Stream
In the last month, there has been research released about a critical vulnerability for the D-Link DCS-2132L WiFi camera, which would allow an unauthorized attacker to access audio and videos packets from a victim’s device, resulting in privacy issues.
Why is it important?
Many people use WiFi cameras to improve security of their homes or private property. However, in return, this type of vulnerability worsens security and could result in loss of privacy.
The DCS-2123L WiFi camera is one of the most popular models in D-Link and it is available for sale at large retailers and online [1]. According to the research released by ESET [2], there are multiple vulnerabilities which allow attackers to intercept and view video streams of this camera model, which poses critical privacy issues and dangers to the users.
Who is affected?
All users of the D-Link DCS-2132L model are affected. Although there are no known incidents reported for this vulnerability and that performing such an attack is not trivial, there are still close to 1,600 DCS-2132L cameras using port 80 exposed around the world from a search via Shodan last month [2]. These users are more vulnerable to a potential attack. In addition, the D-Link DCS-2132L camera is available in the market currently.
What impact might it have on people?
Attackers could play audio and video streams of a user’s home, office, neighbourhood, etc. This means any sensitive information could be monitored by attackers. For example, if a camera was used to monitor kids, the attacker could also be watching their daily activities too. Attackers could also tell if the owner is on vacation, which could lead to robbery and other dangers.
What were the causes?
The root cause of the vulnerability is the ability to initiate a Man-in-the-Middle attack. The client viewer app is connected to the camera through a proxy cloud server on port 2048 [2]. Video packets are transmitted through a Transmission Control Protocol (TCP) tunnel in both connections (between camera and proxy server, and between the proxy server and the client), in which parts of the tunnel lacked encryption, resulting in exposure to some unencrypted sensitive data such as IP address requests, audio and video streams, and other information about the camera [2].
Moreover, the vulnerability is also tracked down to D-Link’s use of Boa web server, which was made open-source. In particular, the code that handles HTTP requests has a condition where any incoming request will be elevated to admin level as long as the request is from 127.0.0.1 [2]. This means that a potential attacker could get access or make any HTTP requests, as well as access to the device.
With the above flaws, a Man-in-the-middle attacker is able to intercept network traffic, and use the TCP connection data on port 2048 to see the HTTP requests for the video and audio packets [2]. Then the attacker can merge the video packets and data together, and play them. In addition, since the attacker has access to make HTTP requests from localhost, he or she can access the camera’s web interface through hxxp://127.0.0.1:RANDOM_PORT [2]. Similarly, a POST request allows the attacker to replace a back-doored firmware.
How might similar problems be prevented in the future?
An obvious way to prevent or make it more difficult for the man-in-the-middle attacker to successfully open accessed video packets is to reinforce strong encryption. For example, use SSL/TLS protocol to secure data transmission.
Also, public-key authentication can be enforced in the endpoints, so that the endpoints have prior knowledge of who they should be communicating with, which could prevent communication with the man-in-the-middle.
The ESET team has informed D-Link of the vulnerabilties, and D-Link has responded that they would provide a follow-up. Some of the vulnerabilities such as the web plugin have been fixed by the manufacturer, however, the man-in-the-middle vulnerability still persists [2].
— — — — — — — — -
References:
[1] D-Link Cloud Camera Flaw Gives Hackers Access to Video Stream. https://threatpost.com/d-link-cloud-camera-flaw/144304
[2] D-Link camera vulnerability allows attackers to tap into the video stream. https://www.welivesecurity.com/2019/05/02/d-link-camera-vulnerability-video-stream/
