Incident Response, TDR, Vulnerability Management

D-Link flaw affects 400,000 devices

A web camera's code vulnerability discovered by researchers last month was reused across the manufacturer's product lines, affecting more than 120 products and 400,000 individual devices.

The pre-authentication flaw, discovered by Senrio security researchers, was initially found in the D-Link DCS-930L, a wireless IP surveillance camera that is controlled remotely. The stack overflow vulnerability allows for remote code execution of the device.

The researchers discovered that the software component appeared across the company's product lines, although it initially appeared that some of the products did not utilize the software component in the default settings. However, this estimation unfortunately proved to be overoptimistic.

D-Link conducted its own analysis of the company's network routers, IoT devices, and home security devices and informed Senrio that more than 120 devices are affected. “It constitutes a fairly sizable portion of their product line,” said Stephen A. Ridley, CTO and founder at Senrio.

The Taiwan-based manufacturer has not yet released a patch for the flaw.

In January, Vectra Networks hacked D-Link's consumer-grade WiFi webcam and used the web camera to create a persistent access point into corporate networks.

“While the thought of strangers watching your sleeping baby is disturbing, the implications for enterprise and infrastructure environments are downright scary,” the Senrio blog post noted in June.

Manufacturers often opt to reuse firmware code across products to create cost savings and cut development time. However, code reuse can make it easier for attackers to exploit a small firmware component to launch attacks against multiple products.

The problem is especially dangerous in medical device and industrial control components, according to Ridley. “Code reuse is vulnerability reuse,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.