According to ESET IoT research, there are multiple vulnerabilities in cloud camera D-Link DCS-2132L that can open the door to unauthorized access. The most serious problem of the camera is that it transmits the video stream without encryption.
ESET Researcher Milan Fránik, from ESET’s Research Lab in Bratislava, Slovakia, said: “Because neither the connection between the camera and the cloud, nor the connection between the cloud and the imaging application is encrypted, the system is susceptible to ‘Man in the Middle’ attacks and It is open for video broadcasts to be watched by intruders” shared the information.
The plugin is also problematic.
According to the detections, another serious problem with the camera is hidden in the ‘mydlink services (my D-Link services)’ web browser plugin. The web browser plug-in manages the TCP tunneling and live video playback in the client’s browser, but is also responsible for forwarding requests for video and audio data streams through a tunnel listening on a dynamically created port on localhost.
“The plugin vulnerability could have had dire consequences for the security of the camera, as it could enable attackers to replace the original firmware with their own rogue version,” says Milan Fránik.
Reported to the manufacturer
ESET has reported all detected vulnerabilities to the manufacturer. Primarily, some of the vulnerabilities in the myDlink plugin have been mitigated and patched with the update, but problems with unencrypted transmission remain.
You can find a detailed article on the subject from the link here.