Password Disclosure in D-Link Surveillance Cameras (CVE-2012-4046)
December 12, 2012
Many people are using the popular D-Link network cameras available at Best Buy, Office Depot, Staples and amazon.com, expecting a private video feed to their home or office. However, this may not be the reality. In recent research, I exposed a critical security flaw in the way D-Link’s DCS-9xx Series IP cameras perform authentication which puts users at risk of eavesdroppers wanting to peer into their private lives or gather intelligence about a target organization. The flaw was identified during the operation of the camera’s setup wizard. In general, setup wizards are meant to provide users a quick and easy way to configure new devices, such as routers, printers, and several others, including this particular series of network cameras manufactured by D-Link. These wizards will commonly ask for a username and password before allowing the user to proceed in configuring the device. In order to accomplish this, the D-Link Setup Wizard will first send an anonymous request to the camera to retrieve its current password to then validate the user supplied password. However, the camera does not authenticate the requestor during the password request, so anyone (authorized or unauthorized) can mimic the wizard and send the same request, tricking the camera into giving up its password – that’s a problem. Maintaining a live video feed to a target organization or residence can obviously be very useful to an attacker. Common use cases for these cameras range from home and business surveillance to baby monitors. I reported the vulnerability to D-Link on June 14, 2012, and while they do claim to have a fix, new firmware has not yet been published at the time of this writing.
Using the D-Link Setup Wizard, the wizard will first perform an initial discovery of relevant IP cameras on the local LAN or subnet. Then, the user will be presented with a list of configurable devices discovered on the network. Any device may then be selected for an easy step-by-step configuration (example below).
In the case of the aforementioned series of D-Link cameras, the discovery mechanism is accomplished by sending out a UDP-based broadcast packet from the user’s computer. Broadcast packets, by definition, will be received by all systems on the same subnet. Any DCS-9xx series cameras that “hear” this initial discovery broadcast will respond with their camera attributes (e.g., hostname, device ID, etc.) via their own UDP-based broadcast. Again, the camera’s broadcast response will be received by all systems on the same subnet, [potentially] including the attacker who cracked your wireless password sitting in the parking lot, the visitors in your conference room, the social engineer who found an empty cubicle and set up shop, or the hacker who’s also logged into your system from the comfort of his own home.
Testing was conducted against the D-Link DCS-932L using the latest firmware (v1.02). No firmware updates are currently available to fix this vulnerability.