Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Dopey]

Author Jason Doyle reported to D-Link an exploit that allows a hacker to easily obtain the administrator password a DCS camera.  I won't post any links here for obvious reasons. 

The existence of this exploit is extremely troubling.  However, the fact that D-Link have known about it, at least since it was reported on June 14, 2012, and done nothing to address it is unconscionable. 

When will D-Link issue an update to correct the severe flaw in their products?

[belvedere]

I'm interested in this too.  I have two other beefs:

1. No SSL support ANYWHERE, so your admin password is always ready to be sniffed.
2. By default, the video streams don't have any password, so you can just point a video player at the camera using rtsp://camera.ip/play{1,2,3,4}sdp and watch the stream with no password.

[RYAT3]

I'm interested in this too.  I have two other beefs:

1. No SSL support ANYWHERE, so your admin password is always ready to be sniffed.
2. By default, the video streams don't have any password, so you can just point a video player at the camera using rtsp://camera.ip/play{1,2,3,4}sdp and watch the stream with no password.

No need to try to sniff anything.  Try guest/guest password.

[skeletor]

No need to try to sniff anything.  Try guest/guest password.

I think that's for a particular model isn't it?  I heard one one them creates a default guest account that many people don't notice.(I thought it could be deleted though from my understanding)
They are talking about this CVE-2012-4046 I think here.  Which, is an issue with the whole setup process and combined with poor network security enables someone to connect to the camera.