Firmware flaws in a range of IP cameras have opened the way for hackers to spy on surveillance footage, researchers have warned.
A number of models made by D-Link, including surveillance cameras like the DCS-3410, as well as a number of consumer devices, are affected by a host of flaws uncovered by researchers, US firm Core Security said.
D-Link’s technology is used by organisations from all kinds of high-profile industries, including banking and health, so such flaws could expose highly sensitive footage.
Amongst the five vulnerabilities uncovered is one that could allow a hacker to access the camera’s video stream via HTTP, affecting a range of consumer devices. Another could let an attacker access the video stream via RTSP (Real Time Streaming Protocol), and that affects all devices listed by Core in its advisory.
One of the other vulnerabilities could let hackers play around with cameras, sending arbitrary commands from the admin web interface.
One of the more bizarre hacks shown in a Core proof of concept could let the attackers look at the ASCII output showing the “luminance” of a camera’s footage. Below is an image of a coffee pot video stream as seen in the ASCII output, and below it is the real image:
D-Link was informed of the flaws on 19 March, promising patches will be ready imminently. It had not responded to a request for comment at the time of publication.
Core also found flaws in Vivotek IP cameras, which also opened up access to the video stream via RTSP, but not over HTTP.
The security firm tried to contact Vivotek about the flaws in early March, but has not yet received a response.
Vivotek had not responded to a request for comment at the time of publication.
UPDATE:
D-Link provided TechWeek with the following statement on 1 May: “Security is of the utmost importance to D-Link across all product lines, including surveillance, networking, storage, and entertainment solutions. After being alerted to the vulnerabilities by CORE Security, D-Link worked quickly and diligently to create patches for the affected cameras. The beta firmware patches are available now and can be found at www.dlink.com/uk/support A full release of the firmware will be available in approximately 30 days at www.dlink.com/uk/support.”
Are you a security expert? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…