Skip to main content

Password Disclosure in D-Link Surveillance Cameras (CVE-2012-4046)

December 12, 2012

Many people are using the popular D-Link network cameras available at Best Buy, Office Depot, Staples and amazon.com, expecting a private video feed to their home or office. However, this may not be the reality. In recent research, I exposed a critical security flaw in the way D-Link’s DCS-9xx Series IP cameras perform authentication which puts users at risk of eavesdroppers wanting to peer into their private lives or gather intelligence about a target organization. The flaw was identified during the operation of the camera’s setup wizard. In general, setup wizards are meant to provide users a quick and easy way to configure new devices, such as routers, printers, and several others, including this particular series of network cameras manufactured by D-Link. These wizards will commonly ask for a username and password before allowing the user to proceed in configuring the device. In order to accomplish this, the D-Link Setup Wizard will first send an anonymous request to the camera to retrieve its current password to then validate the user supplied password. However, the camera does not authenticate the requestor during the password request, so anyone (authorized or unauthorized) can mimic the wizard and send the same request, tricking the camera into giving up its password – that’s a problem. Maintaining a live video feed to a target organization or residence can obviously be very useful to an attacker. Common use cases for these cameras range from home and business surveillance to baby monitors. I reported the vulnerability to D-Link on June 14, 2012, and while they do claim to have a fix, new firmware has not yet been published at the time of this writing.

Exploitation

Using the D-Link Setup Wizard, the wizard will first perform an initial discovery of relevant IP cameras on the local LAN or subnet. Then, the user will be presented with a list of configurable devices discovered on the network. Any device may then be selected for an easy step-by-step configuration (example below).

D-Link 1

In the case of the aforementioned series of D-Link cameras, the discovery mechanism is accomplished by sending out a UDP-based broadcast packet from the user’s computer. Broadcast packets, by definition, will be received by all systems on the same subnet. Any DCS-9xx series cameras that “hear” this initial discovery broadcast will respond with their camera attributes (e.g., hostname, device ID, etc.) via their own UDP-based broadcast. Again, the camera’s broadcast response will be received by all systems on the same subnet, [potentially] including the attacker who cracked your wireless password sitting in the parking lot, the visitors in your conference room, the social engineer who found an empty cubicle and set up shop, or the hacker who’s also logged into your system from the comfort of his own home.

Granted, the initial discovery only reveals the camera’s hostname, device ID and other mostly harmless attributes, but the D-Link wizard also uses the same mechanism to request the camera’s password in a separate broadcast request. This is the default behavior and design of the affected D-Link cameras. Now all your subnet guests, both authorized and unauthorized, can partake in the event. However, there’s no need to wait for a legitimate user to run the setup wizard; an attacker can request the password at any time while the camera is operating via the D-Link Setup Wizard or via the “autopwn” script someone is bound to write after this disclosure. Albeit, the password is encrypted “on the wire” but the ActiveX control within the web based setup wizard kindly decrypts it for you and leaves it in a Javascript variable as a base64 encoded string, which is as good as plain text.  You can retrieve the password with one line of Javascript code. A proof of concept is illustrated below.

D-Link 2

Testing was conducted against the D-Link DCS-932L using the latest firmware (v1.02). No firmware updates are currently available to fix this vulnerability. 

Related Blogs

March 08, 2018

Part 2: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

In part 1 of this series, we provided insights responding to the frequent question regarding control frameworks and their place in the security strate...

See Details

February 28, 2018

Part 1: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

During hundreds of strategy, risk and compliance engagements, Optiv’s consultants often have been asked very thoughtful and deep questions about contr...

See Details

February 26, 2018

The GDPR 90-Day Countdown is on! (No Need to Freak Out)

May 25, 2018 is a day that many organizations have (or should have) marked on their calendars as a game-changing moment for their business. That’s the...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

RELATED INSIGHTS

September 19, 2017

Governance Risk and Compliance Services

Optiv works with your organization to optimize its investment in RSA Archer.

See Details

October 08, 2013

Are Your Password Habits on Par?

Are your login credentials a bit funky? Not Bootsy Collins funky, but bottom of your farm boots funky? Have a seat, let’s talk. This topic is, of cou...

See Details

July 14, 2017

Endpoint Security Solutions

Learn how we help you identify your endpoint security gaps and find the right solutions.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.