D-Link Camera Vulnerability let Hackers Hijack the Camera and Tap the Video Streaming

Critical vulnerability in D-Link cloud camera allows attackers to hijack and intercept the camera to see the live video streaming and recorded videos.

Researchers discovered that the D-Link camera communicate over unencrypted channel between the camera and the cloud and between the cloud and the client-side viewer app.

This flaw could allows an attacker to perform a Man-in-the-Middle attack and intercept the connection to spy on victims’ video streams.

The communication request between app and the camera establish over proxy server using a TCP tunnel where the only place the traffic is encrypted.

But some of the other sensitive content such as camera IP and MAC addresses, version information, video and audio streams, and extensive camera info are passing through the unencrypted tunnel.

The vulnerability resides in D-Link customized open source boa web server source code file called request.c is handling the HTTP request to the camera.

In this case, all the incoming HTTP request that handle by this file elevated to admin allow attacker to gain complete device access.

Another vulnerability discovered in the web browser plug-in called “mydlink services” that helps users to play the live playback via client web browser and it also manages the creation of the TCP tunnel where the plug-in forwarding requests for the video and audio data streams. refer the video demonstration blow,

According to ESET research, The tunnel is made available for the whole operating system, so any application or user on the client’s computer can simply access the camera’s web interface by a simple request (only during the live video streaming) to hxxp://127.0.0.1:RANDOM_PORT/.

“No authorization is needed since the HTTP requests to the camera’s web server are automatically elevated to admin level when accessing it from a localhost IP (viewer app’s localhost is tunneled to camera localhost).”

This vulnerability let hackers to replace the legitimate firmware with their own rigged or backdoored version.

An attacker who is sitting in the middle of the network traffic between the viewer app and the cloud or between the cloud and the camera, can see the HTTP requests for the video and audio packets using the data stream of the TCP connection on the server.

Later attackers can reply and reconstruct this captured packets at any time and the same way attacker obtain the current audio or video stream from that camera using following steps,

  1. Identify the traffic that represents video streams. This traffic consists of multiple blocks of data, each block having a specific header and defined length.
  2. Separate the data parts from the headers.
  3. Finally, the parts of the video are merged into one file.

Playing the video files obtained this way can be a little tricky as they are in a raw streaming format instead of a container file format. However, some media players can handle these raw formats if run with the appropriate command line switches ESET said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

ATM Skimming Attack – Scammers Hijack ATM’s built-in Security Camera to Steal User’s PIN

4 Million Android Users Infected by Malicious Beauty Camera App From Google Play that Steals Personal Pictures

28-year-old Romanian Woman Pleads Guilty for Hacking 126 Computers Associated With Surveillance Cameras

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

11 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

12 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

14 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

18 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

19 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

19 hours ago