Dubai: According to the latest ESET IoT research, D-Link cloud camera DCS-2132L suffers from multiple security vulnerabilities, which can open the door to unauthorized actors. Based on disclosed information, the manufacturer mitigated some of the reported vulnerabilities, yet others still loom.
“The most serious issue with the D-Link DCS-2132L cloud camera is the unencrypted transmission of the video stream. It runs unencrypted over both connections – between the camera and the cloud and between the cloud and the client-side viewer app – providing fertile ground for man-in-the-middle (MitM) attacks and allowing intruders to spy on victims’ video streams,” describes ESET Researcher Milan Fránik, based at the ESET Research Lab in Bratislava.
Another serious issue found with the camera was hidden in the “myDlink services” web browser plug-in. This is one of the forms of the viewer app available to the user; others include mobile apps, which were not part of our research.
The web browser plug-in manages the creation of the TCP tunnel and the live video playback in the client’s browser but is also responsible for forwarding requests for both the video and audio data streams through a tunnel, which listens on a dynamically generated port on localhost.
“The plug-in vulnerability could have had dire consequences for the security of the camera, as it made it possible for the attackers to replace the legitimate firmware with their own rigged or back-doored version,” says Fránik.
ESET has reported all the vulnerabilities found to the manufacturer. Some of the vulnerabilities – primarily in the myDlink plug-in – have since been mitigated and patched via update, yet issues with the unencrypted transmission persist.
For a more detailed description of the vulnerabilities and possible attack scenarios, read the research piece “D-Link camera vulnerability allows attackers to tap into the video stream” on ESET news site WeLiveSecurity.com.
-Ends-
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET has become the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.
For further information:
Vistar Communications
PO Box 127631
Dubai, UAE
E-Mail: hazem@vistarmea.com
Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.
The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.
To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.
