Support Announcements
Response to Consumer Reports :: DCS-2630L IP Camera Security Report

On October 31, 2018 Consumer Reports released a report that accused the DCS-2630L of a number of security issues.

 

Link: https://www.consumerreports.org/privacy/d-link-camera-poses-data-security-risk--consumer-reports-finds/

 

Detail from Consumer Reports:

1. Denial of Service: An attacker may use a simple curl command to disable the camera and prevent users from accessing it.

2. Camera Profiling: The camera runs a web server named "dcs-lig-httpd" which is searchable on Shodan.io, and which reports its model in the basic authentication realm header of requests.

3. Weak Authentication: The camera uses HTTP basic auth, which is known to be insecure as it transmits passwords unencrypted on every request.

4. CSRF Vulnerability: If a user is signed into a camera’s web portal and an attacker knows the camera’s IP address, the attacker can execute CSRF attacks.(This vulnerability is documented as CVE-2017-7852. It it fixed on DCS-933L with firmware after 1.13.05, but no such firmware update is available for DCS-2630L.)

5. Easy to set up without a password: By default, the camera’s password is blank. With this, you can login to its web portal using the default username “admin”. If a user stops following the D-Link app setup wizard after connecting the camera to the internet, the password will remain blank, and the user will not be prompted to create one.

6. Account Enumeration: It is possible to see if a specific person owns a D-Link camera or router by entering their email in the "forgot password" form on D-Link’s website.

 

Response

          1. If a malicious user, saturates the bandwidth of the camera to perform it's tasks, it will appear offline. Consumer IP cameras, are end point devices that are recommended  to be deployed behind a consumer router or gateway, this addiitonal equipment is intened to be the first line of defense to filter unwanted traffic into your home. The device does have local recording via a microSD, which will continue to function during a DDoS attack. Although the camera cannot send video during the DDoS attack, hen the DDoS attack is over, the camera will return to normal in a certain time.

          2. Vulnerability  had been fixed in official released fw v1.05  Please use Mydlink Mobile Applicaiton to upgrade

          3. Vulnerability  had been fixed in official released fw v1.05  Please use Mydlink Mobile Applicaiton to upgrade

          4. Vulnerability  had been fixed in official released fw v1.05  Please use Mydlink Mobile Applicaiton to upgrade

          5. Vulnerability  had been fixed in official released fw v1.05  Please use Mydlink Mobile Applicaiton to upgrade

          6. The mydlink portal account enumeration issue was corrected on an upgrade to the portal on October 16, 2019.

 

Affected Products and Fixes:

Model Hardware Revision Affected FW Fixed FW  Last Updated
DCS-2630L All Revisions v.1.04  and older (lower) v.1.05.02  ( Please use Mydlink Mobile Applicaiton to upgrade)

02/06/2020

 

 
Regarding Security patch for your D-Link Devices
 
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
 
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.