Overview
The DCS-820L, DCS-930L, DCS-931L, DCS-932L, DCS-933L, DCS-2330L, DCS-2332L, DCS-2136L, DCS-5010L, DCS-5020 and DCS-5222L have been found to keep there SSL certificate used to communicate with the mobile application and mydlink cloud service. It was reported to D-Link and confirmed that this is an inappropriate implementation for these devices and must be corrected.
D-Link Security Incident Reponse Policy
All public communication on this issue will be offered at http://securityadvisories.dlink.com/security/
Our security response team can be contacted for incident information or to report incidents at security@dlink.com
Any non-critical security issue, help in updating firmware, or configuration regarding this issue please contact your D-Link Customer care channel.
Reference
Christopher Schmitt <cschmitt@tankbusta.net> - CVE-2014-1616 filed with Mitre - Original Disclosure January 19, 2014
General Disclosure
Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed. We will continue to update this page to include the relevant product firmware updates addressing these concerns. In the meantime, you can exercise the below cautions to avoid unwanted intrusion into your D-Link router.
Immediate Recommendations for all D-Link customers
- As of February 24, 2014, D-Link is not aware of any vulnerability or exploiting this reported issue.
- We encourage users to upgrade their cameras by the software release in the table below, immediately when the mobile application, or mydlink portal notifies you of new software releases
Details
The persistent certificate in the camera today is functioning as designed, protecting communication between the camera and application. However, the fact that it is persistent creates a weakness a malicious user could attempt to exploit if they had access to the camera and had knowledge it's certiificate didn't change. If a malicious user had managed to get privileged network access, they could potential obtain the cert., intercept, and decrypt the camera control information. After understanding how the camera control functions, further research may result in access to the media-stream functions. For reference, these devices are standard network IP cameras with rich-feature sets beyond the mydlink cloud access and configuration features. All feature and services could be effected beyond just, mydlink-cloud feartures, so we strongly encourage the camera owners to upgrade firmware referenced below, through the app. or portal as soon as it is available.
The planned correction:
1. When camera does not have feature, upgrade to a f/w with SSL certificate, it will automatically create a self signed cert (regenerated)
2. When camera upgrades with a f/w with cert. (f/w with SSL certificate automatically self signed), the SSL certificate wll automatically create a new self-signed cert (regenerate)
3. When camera is factory reset, the camera will automatically create a new self-signed SSL certificate.
Affected Products
Notice for mydlink Users
mydlink account users who install this security patch on their Cloud camera may be prompted through the mydink.com website or mydlink mobile app to upgrade their Cloud camera firmware. Please disregard this upgrade notice as agreeing to the upgrade may re-install the last available pre-patch firmware version. Due to the urgency of addressing this security concern, this latest firmware was released to the general public prior to being certified within the mydlink service, which does not presently recognize the security patch as the most current official version. D-Link is actively working towards resolving this issue.
Currently to solve this issue, mydlink has Turned-off the “auto FW upgrade”, “FW upgrade reminder”, and all notifications with this firmware. until we release the next version of firmware. Users may not notice the new firmware unless they visit mydlink portal or D-Link's forum to see the related news. After this beta update the users will be required to upgrade the firmware manually.
For those users who are with the latest version of firmware and no longer receive push notifications from mydlink. We will need them to wait around 2-3 weeks for the next release of firmware. This will renable notifications properly.
We shall release news on mydlink portal.
Note this is for all North American Versions only (mydlink devices are geolock to provide best cloud service performance)
Model Name
|
HW Version
|
Vulnerable FW & Setup Wizard
|
Current Versions with fix
|
DCS-820L |
Ax |
V1.00 and lower |
FW: Fixed Prior to Release of Product to Market |
DCS-930L
|
Ax/Bx
|
v1.09 and lower
|
FW: 1.10
|
DCS-931L
|
Ax
|
v1.02 and lower
|
FW: 1.03
|
DCS-932L
|
Ax/Bx
|
v1.07 and lower
|
FW: 1.08
|
DCS-933L
|
Ax
|
v1.02 and lower
|
FW: 1.03
|
DCS-2136L |
Ax |
V1.00 and lower |
FW: Pending (as of 03/17/14) |
DCS-2330L |
Ax |
V1.00 and lower |
FW: Pending (as of 03/17/14) |
DCS-2332L |
Ax |
V1.02 and lower |
FW: Pending (as of 03/17/14) |
DCS-5010L |
Ax |
v1.02 and lower |
FW: v.1.03
|
DCS-5020L |
Ax |
v1.02 and lower |
FW: v.1.03
|
DCS-5222L |
Bx |
V1.00 and lower |
FW: Pending (as of 03/17/14) |
Security patch for your D-Link cameras
These firmware updates address the security vulnerabilities in affected D-Link cameras. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update.