Researchers at Core Security reported about multiple vulnerabilities in D-Link IP Cameras, which allow an attacker to capture video streams. Experts found five vulnerabilities in at least 14 company’s products.
IP-cameras can record images and video, and their control is carried out through online control panels. Camera DCS-5605/DCS-5635, which is vulnerable, is equipped with a motion detection feature widely used in financial and medical institutions, as well as in various offices.
Experts at Core Security state that vulnerabilities allow to get access to video stream via RTSP, or capture the ASCII video stream via image luminance. The vulnerabilities in online control panel allow performing command injections.
Core Security warned D-Link on detected vulnerabilities on March 29. Telecommunications equipment manufacturer promised to release the update and issue the recommendations for cameras use on the company’s support forum and make an official statement on vulnerabilities only in a month.
Core Security was not satisfied with such a decision. Experts blamed D-Link in the problem concealment as only limited number of forum visitors were warned about vulnerabilities.