D-Link has issued a security warning regarding a severe vulnerability in its DCS-8300LHv2 WiFi camera, which exposes sensitive credentials, including WiFi passwords and administrative access details.
The flaw, originally discovered by cybersecurity researcher Alexis Lingad, affects all hardware revisions of the camera and remains unpatched due to the device reaching End-of-Life (EOL) and End-of-Service (EOS) as of February 1, 2024.
Lingad, an independent security researcher, uncovered the flaw through hardware-based reverse engineering. By physically opening the camera and accessing its UART debugging interface, he extracted boot logs that contained critical information in plaintext or easily decodable formats.
Alexis Lingad
Specifically, the vulnerability allowed an attacker to retrieve:
- WiFi SSID and password (encoded in Base64, easily decoded)
- Developer account username and password
- Unique PIN code for remote device control via the mobile app
The flaw was first identified in firmware version 1.02.03 (released January 30, 2021) and was reported to D-Link before the device reached EOL. D-Link addressed the issue in firmware versions 1.07 and 1.08, which prevent the sensitive data from being displayed in boot logs. However, since the product is now discontinued, no further updates or security patches will be issued.
Impact and risks
The DCS-8300LHv2 WiFi camera was marketed as a Full HD smart surveillance device with features such as night vision, motion detection, two-way audio, and cloud/SD recording. While D-Link has stopped supporting it, many units remain in use, posing a significant security risk to individuals and businesses. Additionally, CyberInsider has found that the product is still available for purchase in various online shops.
Lingad demonstrated a real-world attack scenario where an adversary could:
- Physically access the camera (e.g., in a store, office, or home) and extract credentials.
- Reconnect the device without leaving visible traces after retrieving WiFi access credentials.
- Use the stolen credentials to infiltrate the victim's local network, compromising other connected devices such as computers, point-of-sale systems, or even critical infrastructure.
D-Link has officially classified this vulnerability as resolved prior to EOL but strongly advises users to retire the device immediately. The company urges customers to replace the camera with a supported model that continues to receive firmware updates.
For those insisting on using the device, it is recommended to upgrade to the latest available firmware (1.07 or 1.08). General advice also includes regularly changing device passwords, ensuring that WiFi encryption is enabled, and disconnecting the camera from the network when it is not used.
Apple’s Find My Exploited in nRootTag Attacks for User Tracking
Leave a Reply