ID: IRCNE2013041831
Date: 2013-04-30
According to “ComputerWorld”, a number of IP-based surveillance video cameras made by D-Link have firmware vulnerabilities that could allow an attacker to intercept the video stream, according to security researchers.
Core Security, a company based in Boston that specializes in vulnerability detection and research, published on Monday details of five vulnerabilities in D-Link's firmware, which is wrapped into at least 14 of its products.
D-Link makes a variety of Internet-connected cameras that it sells to businesses and consumers. The cameras can record images and video and be controlled through Web-based control panels. Live feeds can be viewed on some mobile devices.
One of the vulnerable models, the DCS-5605/DCS-5635, has a motion-detection feature, which D-Link suggests in its marketing materials would be good for banks, hospitals and offices.
Core Security's researchers found it was possible to access without authentication a live video stream via the RTSP (real time streaming protocol) as well as an ASCII output of a video stream in the affected models. RTSP is an application-level protocol for transferring real-time data, according to the Internet Engineering Task Force.
The researchers also found a problem with the web-based control panel that would allow a hacker to input arbitrary commands. In another error, D-Link hard-coded login credentials into the firmware which "effectively serves as a backdoor, which allows remote attackers to access the RTSP video stream," Core Security said in its advisory.
The technical details are described in a post in the Full Disclosure section of Seclists.org, along with a list of the known affected products, some of which have been phased out by D-Link.
Core Security notified D-Link of the problem on March 29, according to a log of the two companies' interaction included in the posting on Full Disclosure.
- 3