A series of vulnerabilities in the D-Link DCS-2132L cloud camera allow attackers to remotely tap into the video streams of the devices and also manipulate the device’s firmware.

The vulnerabilities included unencrypted cloud communication, insufficient cloud message authentication and unencrypted LAN communication, according to a May 2, 2019 ESET blog post.

A threat actor can intercept video and audio feeds in a man-in-the-middle (MitM) attack by intercepting network traffic between the viewer app and the cloud or between the cloud and the camera because the transmission of the streams between the camera and the cloud and between the cloud and the client-side viewer app are unencrypted.

The flaw can be traced back to a condition within the request.c file, part of the D-Link customized open source boa web server source code, that handles HTTP requests to the camera. All of the HTTP request from 27.0.0.1 are elevated to the admin level, granting a potential attacker full access to the device, researchers found.

Researchers also spotted issues in the device’s “mydlink services” web browser plug-in which allows any application or user on the client’s computer to simply access the camera’s web interface by a simple request without any authorization.

The vulnerability also allows an attacker to replace the legitimate firmware with their own rigged backdoor version.

Researchers also spotted other issues described as “minor, yet still concerning” including an exposure in its HTTP interface on port 80 to the internet that can happen without the user’s consent. It was unclear why the devices used such a hazardous setting, researchers said.

The issues were promptly reported and as of May 2, 2019 some of the vulnerabilities have since been mitigated while others remain, according to the post.

Researchers found the  “mydlink services” plug-in is now properly secured,  although other issues persist and most recent version of firmware available for download did not address the vulnerabilities, allowing malicious replacement of the camera’s firmware, as well as interception of audio and video streams.

Current users of the device are advised to check that port 80 isn’t exposed to the public internet and reconsider the use of remote access if the camera is monitoring highly sensitive areas of their household or company, the post said.