Posted on May 3, 2019 at 6:15 PM
The warning from security researchers is clear. If you are using the D-Link’s consumer grade wifi camera, you should never use its remote access feature if it is in a sensitive area of your home/workplace. D-Link has only been able to “partially” fix the flaws that affect its consumer wifi cameras.
These hacks allow malicious attackers to intercept the video stream to view it as you yourself would be able to do. The researchers also pointed out that attackers would be able to manipulate the firmware of the device which is an even bigger problem in certain cases than simply being able to view the feed.
Vulnerability to MitM attacks at the forefront of the bugs
Researchers at ESET found that the lack of encryption between the device and D-Link’s cloud service; and the cloud service to the client-side app that is designed by D-Link to view the camera’s feed.
The researchers have found that the viewer app and the camera communicates via proxy on port 2048. It is a custom tunneling protocol designed by D-Link and built on top of TCP. The report, written by Milan Franik and Milos Cermak, states that it is unfortunate that only part of the traffic that runs through these channels is encrypted.
The parts of traffic that are not encrypted are quite important; they go on to say, such as requests for the camera IP and MAC addresses, version information, both video and audio streams and quite a bit of information regarding the camera. These are all part of the unencrypted traffic running through the tunnel.
They traced the bug to D-Link’s usage of an open-source Boa Web Server, that while customized, is still not the most secure software for running something as important as a camera security system. After all, the project was abandoned in 2005 which is stone age in internet security terms. No matter how thorough the customization, it will always remain vulnerable simply to the nature of how older architecture worked.
The second bug allows firmware changes
The ESET researchers found another bug that allowed attackers to upload rogue firmware updates to the device itself. The bug was found in the browser plugin created by D-Link called “MyDlink Services.” The browser plugin allows users to view the camera without using the app, and it only manifests itself when a user is a live-streaming content using the plugin.
The researchers explained that the plugin manages the TCP tunnel to allow live video playback on the browser. It is also responsible for any forwarding requests regarding video and audio data. This is all done via a tunnel that listens on a dynamically generated port on localhost. It is during this action that any potential attacker can gain access to the camera’s interface with extreme ease.
Al they need to do is open up hxxp://127.0.0.1:RANDOM_PORT address and they will have full access. It astounded the researchers that tunnel was made available to the entire operating system allowing any user or program access to the camera’s web interface using such a simple request.
The end game of this would when an attacker uploads the firmware that includes a backdoor and they would have easy access to the camera and its functionalities from then on. There were additional bugs identified with port 80, which is usually used to access HTTP traffic.
All these vulnerabilities were disclosed by the security researchers to D-Link on 22nd August 2018, and D-Link has managed to address some of the issues. The researchers say that fixes are not comprehensive enough to warrant a clean bill of health on the part of the researchers.
Intercepting the video and audio streams is still a possibility, and it is still possible to upload rogue firmware. However, the plugin bug was fixed in its entirety. ESET recommends that users make sure that port 80 is not exposed to the public internet as this would have severe consequences should they become the target of an attack.