Researchers discover a rather critical vulnerability
in the D-Link cloud camera that enabled attackers to hijack and intercept the
camera in order to gain access to the live video streaming as well as recorded videos
by means of communicating over unencrypted channel between the camera and the
cloud and between the cloud and the client-side viewer app.
The communication request between the application and
the camera built up over a proxy server utilizing a TCP tunnel which is the
only place the traffic is encrypted. This blemish enables an attacker to play
out a Man-in-the-Middle attack and intercept the said connection with the
intend to spy on the victims' video streams.
Rest of the
sensitive content, like the camera IP and MAC addresses, version information,
video and audio streams, and the extensive camera information are going through
the unencrypted tunnel.
The vulnerability dwells in D-Link customized open
source boa web server source code file called request.c which is dealing with
the HTTP solicitation to the camera. For this situation, all the approaching
HTTP demands or requests that handle by this file elevated to admin enabling
the attacker to gain a total device access.
According to ESET Research, “No authorization is
needed since the HTTP requests to the camera’s web server are automatically
elevated to admin level when accessing it from a localhost IP (viewer app’s
localhost is tunneled to camera localhost).”
What's
more, this weakness lets the hackers to supplant the real firmware with their
own fixed or backdoored variant.
An attacker,
who is sitting amidst the system traffic between the viewer application and the
cloud or between the cloud and the camera, can see the HTTP demands or requests
for the video and audio packets utilizing the data stream of the TCP connection
on the server and accordingly answer and recreate these captured packets
whenever wherever.
