April 30, 2013, 2:50 AM — If you run a bank and use an IP video camera from D-Link, you may want to pay attention to this.
A number of IP-based surveillance video cameras made by D-Link have firmware vulnerabilities that could allow an attacker to intercept the video stream, according to security researchers.
Core Security, a company based in Boston that specializes in vulnerability detection and research, published on Monday details of five vulnerabilities in D-Link's firmware, which is wrapped into at least 14 of its products.
D-Link makes a variety of Internet-connected cameras that it sells to businesses and consumers. The cameras can record images and video and be controlled through Web-based control panels. Live feeds can be viewed on some mobile devices.
One of the vulnerable models, the DCS-5605/DCS-5635, has a motion-detection feature, which D-Link suggests in its marketing materials would be good for banks, hospitals and offices.
Core Security's researchers found it was possible to access without authentication a live video stream via the RTSP (real time streaming protocol) as well as an ASCII output of a video stream in the affected models. RTSP is an application-level protocol for transferring real-time data, according to the Internet Engineering Task Force.
The researchers also found a problem with the web-based control panel that would allow a hacker to input arbitrary commands. In another error, D-Link hard-coded login credentials into the firmware which "effectively serves as a backdoor, which allows remote attackers to access the RTSP video stream," Core Security said in its advisory.
The technical details are described in a post in the Full Disclosure section of Seclists.org, along with a list of the known affected products, some of which have been phased out by D-Link.
Core Security notified D-Link of the problem on March 29, according to a log of the two companies' interaction included in the posting on Full Disclosure. The log, written by Core, contains interesting details of how the two companies corresponded and apparently had a couple of disagreements.
According to Core, D-Link said it had an "unpublished bounty program for security vendors." Many companies have bug programs that reward researchers with cash or other incentives for finding security issues in their products and informing them before publicly releasing the details.
Around March 20, D-Link requested that Core Security sign a "memo of understanding" as part of the program, which Core rejected. The terms of the memo were not described. Core told D-Link "that receiving money from vendors may bias the view of the report."