Multiple vulnerabilities in D-Link cloud camera could allow attackers to spy victims’ content

• The flaws include unencrypted cloud communication, insufficient cloud message authentication, and unencrypted LAN communication.
• Some of the vulnerabilities in D-Link DCS 2132L cloud camera have been mitigated.

A series of vulnerabilities have been discovered in D-Link DCS 2132L cloud camera. The flaws include unencrypted cloud communication, insufficient cloud message authentication, and unencrypted LAN communication.

Impacts of MitM attack

One of the serious issues in the D-Link DCS 2132L cloud camera can open doors to Man-in-the-Middle (MitM) attacks, thus allowing attackers to view the recorded videos.

Researchers at ESET discovered that the camera transmitted a recorded or streaming video in an unencrypted format to the cloud and subsequently to the client-side viewer app. This allowed the intruders to spy on victims’ videos.

“The most serious issue with the D-Link DCS-2132L cloud camera is the unencrypted transmission of the video stream. It runs unencrypted over both connections – between the camera and the cloud and between the cloud and the client-side viewer app – providing fertile ground for man-in-the-middle (MitM) attacks and allowing intruders to spy on victims’ video streams,” said ESET researchers in a blog post.

By intercepting the communication, the attackers could steal sensitive content such as camera IP and MAC addresses, version information, video and audio streams, and other details of the device.

What is the other major issue?

Researchers also spotted another issue in the device’s ‘mydlink services’ web browser plug-in. The flaw can allow any application or user on the client’s computer to simply access the camera’s web interface without any authorization. It can also allow the attacker to replace the legitimate firmware with a fake backdoor version.

What is the update?

The issues were promptly reported on May 2, 2019. Some of the vulnerabilities have been mitigated. Current users of the device are advised to make sure that Port 80 isn’t exposed to the public internet. The users should reconsider the use of remote access if the camera is monitoring highly sensitive areas of their household or company.