D-Link camera can be hijacked to become a spy-cam

The company is working on a patch

D-Link is working to fix a weakness that allows attackers to take over remote control of one of its cameras so they can eavesdrop, and the company is checking whether others of its products have similar vulnerabilities.

The vulnerability allows for the injection of malicious code and forces a password reset, which means attackers can gain remote access to the camera’s feed, thereby enabling eavesdropping, according to Senrio, a startup that monitors devices, scores how vulnerable they are and alerts when it detects suspicious behavior.

It also means that regardless of how strong a password users set up, it can be overridden.

The camera – D-Link DCS-930L Network Cloud Camera – might not be the only device affected by the vulnerability, a spokesperson for Senrio says. “Senrio has also agreed to evaluate a number of additional D-link products to assess if the vulnerability can be found in the firmware in those items,” the spokesperson said in an email.

In response to questions about whether it knows about the problem and what customers should do D-Link issued this statement: “Security is the highest priority for D-Link and we are proactively working with the source of the report since receiving the inquiry to ensure that any vulnerabilities discovered are addressed.

“Once information and testing is completed, additional information will be made available to customers online at www.mydlink.com.”

Later the company sent an addendum: “We are continuing to monitor D-Link’s complete product portfolio to ensure that any vulnerabilities discovered are addressed.”

The weakness is in a service in the cameras firmware that processes remote commands, according to Senrio, and in working with D-Link has agreed not to detail the vulnerability nor to release the exploit code until after the camera maker issues a patch, the spokesperson said.

Here’s what Senrio did say about the problem:

“This vulnerability can be exploited with a single command which contains custom assembly code and a string crafted to exercise the overflow. The function first copies the assembly code to a hard-set executable address. Next, the command triggers the stack overflow and sets the value of the functions return address to the address of the attacker’s assembly code. The vulnerability allows code injection and causes a password reset.”

Senrio says it notified D-Link before making its discovery public, but won’t say when, nor will it detail what its interactions have been since. “Out of respect for D-link, we are following their wishes to not disclose the timeline,” Senrio’s spokesperson says.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags D-Link

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?