D-Link IP Camera’s Unencrypted Cloud Infra, Vulnerable to MiTM Attacks
Cloud cameras (AKA IP Cameras) provide convenient and easy to use visual monitoring device for offices, houses, and shops of all sizes. It is slowly but surely replacing the bulky and complicated CCTV (closed-circuit television) systems, and for the right reason, primarily due to its easy expandability. However, since this kind of system is always online (it depends on network/Internet connection) compared to the closed system of the CCTV system. Nonetheless, IP cameras use its respective vendor’s cloud infrastructure, which provides first and foremost the capability to view footage through a mobile app and using a browser anywhere on the Internet.
Unfortunately for D-Link DCS-2132L IP camera, the very cloud infrastructure it is using came with a nasty vulnerability. ESET, a mainstream antivirus vendor and security firm reported in its official blog that the specific model uses an unencrypted communication link to its cloud infrastructure, and its LAN communication is also not encrypted. This makes the device vulnerable to Man-in-the-middle attacks, as anyone with the right tools can grab the packets off the wifi and Lan, making it the in-between system that captures all the information (in effect becomes vulnerable to espionage) during communication of the device to its admin/user.
“The viewer app and the camera communicate via a proxy server on port 2048, using a TCP tunnel based on a custom D-Link tunneling protocol. Unfortunately, only part of the traffic running through these tunnels is encrypted, leaving some of the most sensitive contents – such as the requests for camera IP and MAC addresses, version information, video, and audio streams, and extensive camera info – without encryption,” explained ESET Research.
The biggest mistake of D-Link is allowing the camera to grant “admin level” permissions to anyone that is communicating with it from 127.0.0.1, or the direct access to the system itself without authenticating first. This way, a man-in-the-middle attack can be installed, hence creating a middle stage where all camera footage can be accessed by someone else connecting through the cloud through port 2048. As per the claim of ESET, their researchers were able to extract videos under the H.264 and M-JPEG formats.
D-Link also has not made the official browser-plugin for the device secure. The D-Link browser plugin enables a remote user to connect with the camera’s data and audio steam as if the remote user is locally connected through the “mydlink services” app. Again, D-Link chose not to enable user credential authentication when connecting, hence a simple http://127.0.0.1:random_port is enough to connect to the camera anytime.
“The malicious firmware replacement is still possible via vulnerabilities in the custom D-Link tunneling protocol described earlier in this blog post. To achieve this, an attacker needs to modify the traffic in the tunnel by replacing the video stream GET request with a specific POST request that uploads and runs a bogus firmware “update”. We need to stress at this point that performing such an attack is non-trivial, as it would have to follow all the rules of the tunneling protocol, dividing the firmware file into blocks with specific headers and of a certain maximum length,” added the ESET report.