• September 23, 2019, 05:59:27 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: Fix for the camera password exploit?  (Read 4071 times)

Dopey

  • Level 1 Member
  • *
  • Posts: 1
Fix for the camera password exploit?
« on: January 25, 2013, 08:06:19 AM »

Author Jason Doyle reported to D-Link an exploit that allows a hacker to easily obtain the administrator password a DCS camera.  I won't post any links here for obvious reasons. 

The existence of this exploit is extremely troubling.  However, the fact that D-Link have known about it, at least since it was reported on June 14, 2012, and done nothing to address it is unconscionable. 

When will D-Link issue an update to correct the severe flaw in their products?

Logged

belvedere

  • Guest
Re: Fix for the camera password exploit?
« Reply #1 on: March 27, 2013, 04:36:03 PM »

I'm interested in this too.  I have two other beefs:

1. No SSL support ANYWHERE, so your admin password is always ready to be sniffed.
2. By default, the video streams don't have any password, so you can just point a video player at the camera using rtsp://camera.ip/play{1,2,3,4}sdp and watch the stream with no password.
Logged

RYAT3

  • Level 10 Member
  • *****
  • Posts: 2110
Re: Fix for the camera password exploit?
« Reply #2 on: March 27, 2013, 06:30:47 PM »

I'm interested in this too.  I have two other beefs:

1. No SSL support ANYWHERE, so your admin password is always ready to be sniffed.
2. By default, the video streams don't have any password, so you can just point a video player at the camera using rtsp://camera.ip/play{1,2,3,4}sdp and watch the stream with no password.

No need to try to sniff anything.  Try guest/guest password.


Logged

skeletor

  • Level 1 Member
  • *
  • Posts: 20
Re: Fix for the camera password exploit?
« Reply #3 on: April 09, 2013, 09:29:19 PM »

No need to try to sniff anything.  Try guest/guest password.




I think that's for a particular model isn't it?  I heard one one them creates a default guest account that many people don't notice.(I thought it could be deleted though from my understanding)
They are talking about this CVE-2012-4046 I think here.  Which, is an issue with the whole setup process and combined with poor network security enables someone to connect to the camera.
Logged