ESET unearths security vulnerabilities in D-Link cloud camera

In News

According to the latest ESET IoT research, D-Link cloud camera DCS-2132L suffers from multiple security vulnerabilities, which can open the door to unauthorized actors. Based on disclosed information, the manufacturer mitigated some of the reported vulnerabilities, yet others still loom.

“The most serious issue with the D-Link DCS-2132L cloud camera is the unencrypted transmission of the video stream. It runs unencrypted over both connections – between the camera and the cloud and between the cloud and the client-side viewer app – providing fertile ground for man-in-the-middle (MitM) attacks and allowing intruders to spy on victims’ video streams,” describes ESET Researcher Milan Fránik, based at the ESET Research Lab in Bratislava.

Another serious issue found with the camera was hidden in the “myDlink services” web browser plug-in. This is one of the forms of the viewer app available to the user; others include mobile apps, which were not part of our research.

The web browser plug-in manages the creation of the TCP tunnel and the live video playback in the client’s browser but is also responsible for forwarding requests for both the video and audio data streams through a tunnel, which listens on a dynamically generated port on localhost.
“The plug-in vulnerability could have had dire consequences for the security of the camera, as it made it possible for the attackers to replace the legitimate firmware with their own rigged or back-doored version,” says Fránik.

ESET has reported all the vulnerabilities found to the manufacturer. Some of the vulnerabilities – primarily in the myDlink plug-in – have since been mitigated and patched via update, yet issues with the unencrypted transmission persist.

Comments

You may also read!

du acknowledged as the Best MSSP in the Middle East

du, from Emirates Integrated Telecommunications Company (EITC), presented the Managed Security Service Provider, “Visionary of the Year” Award by

Read More...

Forcepoint recognizes its partners in the region

Leading cybersecurity firm, Forcepoint recognized its key channel partner during its partner event held recently in Dubai, which was

Read More...

Tenable research discovers download hijack vulnerability in Slack

Tenable Inc, the Cyber Exposure company, announced that its research team has discovered a vulnerability in the Slack Desktop

Read More...

Join Our Newsletter!

Love SecurityMEA? We love to tell you about our new stuff. Subscribe to newsletter!

Mobile Sliding Menu