Headquarters888-732-9406
Security Operations Center 888-732-9407

Password Disclosure in D-Link Surveillance Cameras (CVE-2012-4046)

Many people are using the popular D-Link network cameras available at Best Buy, Office Depot, Staples and amazon.com, expecting a private video feed to their home or office. However, this may not be the reality. In recent research, I exposed a critical security flaw in the way D-Link’s DCS-9xx Series IP cameras perform authentication which puts users at risk of eavesdroppers wanting to peer into their private lives or gather intelligence about a target organization. The flaw was identified during the operation of the camera’s setup wizard. In general, setup wizards are meant to provide users a quick and easy way to configure new devices, such as routers, printers, and several others, including this particular series of network cameras manufactured by D-Link. These wizards will commonly ask for a username and password before allowing the user to proceed in configuring the device. In order to accomplish this, the D-Link Setup Wizard will first send an anonymous request to the camera to retrieve its current password to then validate the user supplied password. However, the camera does not authenticate the requestor during the password request, so anyone (authorized or unauthorized) can mimic the wizard and send the same request, tricking the camera into giving up its password – that’s a problem. Maintaining a live video feed to a target organization or residence can obviously be very useful to an attacker. Common use cases for these cameras range from home and business surveillance to baby monitors. I reported the vulnerability to D-Link on June 14, 2012, and while they do claim to have a fix, new firmware has not yet been published at the time of this writing.

Exploitation

Using the D-Link Setup Wizard, the wizard will first perform an initial discovery of relevant IP cameras on the local LAN or subnet. Then, the user will be presented with a list of configurable devices discovered on the network. Any device may then be selected for an easy step-by-step configuration (example below).

In the case of the aforementioned series of D-Link cameras, the discovery mechanism is accomplished by sending out a UDP-based broadcast packet from the user’s computer. Broadcast packets, by definition, will be received by all systems on the same subnet. Any DCS-9xx series cameras that “hear” this initial discovery broadcast will respond with their camera attributes (e.g., hostname, device ID, etc.) via their own UDP-based broadcast. Again, the camera’s broadcast response will be received by all systems on the same subnet, [potentially] including the attacker who cracked your wireless password sitting in the parking lot, the visitors in your conference room, the social engineer who found an empty cubicle and set up shop, or the hacker who’s also logged into your system from the comfort of his own home.

Granted, the initial discovery only reveals the camera’s hostname, device ID and other mostly harmless attributes, but the D-Link wizard also uses the same mechanism to request the camera’s password in a separate broadcast request. This is the default behavior and design of the affected D-Link cameras. Now all your subnet guests, both authorized and unauthorized, can partake in the event. However, there’s no need to wait for a legitimate user to run the setup wizard; an attacker can request the password at any time while the camera is operating via the D-Link Setup Wizard or via the “autopwn” script someone is bound to write after this disclosure. Albeit, the password is encrypted “on the wire” but the ActiveX control within the web based setup wizard kindly decrypts it for you and leaves it in a Javascript variable as a base64 encoded string, which is as good as plain text.  You can retrieve the password with one line of Javascript code. A proof of concept is illustrated below.

Testing was conducted against the D-Link DCS-932L using the latest firmware (v1.02). No firmware updates are currently available to fix this vulnerability. Any updates will likely be made available here, in the support section.

Author

Jason Doyle
Security Consultant

Over 6 years of information technology security. CISSP. GWAPT.

Comments

I have these cameras, and have been suffering connects from the outside to them for years. From FW 1.02 to 1.06 currently. I change ports and IP addresses (both the camera's and my own IP on the internet), and they still find me. The camera is broadcasting itself to the internet. I had a network sniffer running awhile back, and if I remember right, it's a D-Link site. The camera is sending an HTTPS request about once every second or two, and I found that if I block that, the connections stop. I think. I have 4 cameras, but only one showed as getting connected to in my router logs. 2 did initially, and they were the two I had set up for myself to remotely view using D-Link's site. I scrapped that idea, and manage to solve it for awhile, but then I noticed one camera still getting connects. I'm not convinced that the others were NOT being viewed remotely. Maybe they somehow hacked the cameras to not show it.

At any rate, I blocked most services (I want NTP to still work), and the only one I'm seeing is HTTPS, filling my log. Why is it doing this? And to the outside world?! I have the feeling it's by design and not a flaw, but is it a malicious feature from a D-Link programmer, or has somebody found a way to hack into the stream somehow? Stolen credentials from D-Link's site, maybe? The IP addresses I saw are from all over the globe, including China. I didn't see a lot of them. Maybe a dozen a day.

Mr Doyle
How do I retrieve the initial password for a brand new 9xxx camera??
I bought a second camera and it stalls at password set up.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.