Core Security researchers recently uncovered five different vulnerabilities in D-Link IP cameras (h/t Sophos).

The vulnerabilities and their potential impact are as follows:

  • CVE-2013-1599 could allow an attacker to execute arbitrary commands from the administration Web interface
  • CVE-2013-1600 could allow an attacker to access the video stream via HTTP
  • CVE-2013-1601 could allow an attacker to access the ASCII video stream via image luminance
  • CVE-2013-1602 could allow an attacker to access the video stream via RTSP
  • CVE-2013-1603 could allow an attacker to bypass RTSP authentication using hard-coded credentials

Sophos' Paul Ducklin notes that the last vulnerability is a dangerously simple hardwired backdoor password. "Hardwired passwords were a design blunder back in the 1970s; in the 2010s, they are simply unacceptable," he writes.


The researchers say they notified D-Link of the vulnerabilities on March 19, 2013, and that D-Link has prepared patches for all of the flaws, which "are scheduled for posting on [the] D-Link Web site over the next few days."