D3D Security IP Cameras Risk Data Breach, Live Feed Access, No Patch Available
The Indian Computer Emergency Response Team (CERT-In) has issued an urgent advisory concerning two critical vulnerabilities discovered in the D3D Security IP Camera D8801, which could potentially allow remote attackers to gain unauthorized access to sensitive information and live video feeds of affected devices. With a CVSS score of 8.7, these vulnerabilities pose a serious risk to users of this discontinued product.
Two significant vulnerabilities have been identified:
- CVE-2024-47789: This vulnerability stems from the use of a weak authentication scheme in the HTTP header protocol of D3D Security IP Cameras. According to CERT-In, the authorization tag used for device access contains a Base-64 encoded username and password, which can be easily intercepted and decoded by an attacker. A remote attacker could craft a malicious HTTP packet to exploit this weakness, exposing sensitive user credentials. This could ultimately lead to unauthorized access to the targeted IP camera.
- CVE-2024-47790: The second vulnerability lies within the insecure Real-Time Streaming Protocol (RTSP) used for live video streaming. Attackers can craft a malicious RTSP packet to gain unauthorized access to the live feed of the compromised camera. This is a particularly concerning issue for users relying on these cameras for security purposes, as attackers could potentially monitor and view sensitive locations without the user’s knowledge.
The vulnerabilities affect all versions of the D3D Security IP Camera D8801, a widely used IP camera for surveillance purposes. The product, however, has reached its End of Life (EOL) as of January 2024, and is no longer supported by the vendor, leaving users with limited options for addressing these critical security issues.
These vulnerabilities, discovered by Priyanka R. Chaudhary of BITS Pilani, Hyderabad, pose a significant threat to users of this camera model.
If exploited, these vulnerabilities could have severe consequences. The exposure of credentials via CVE-2024-47789 could enable attackers to take full control of the targeted device, potentially changing settings, disabling the camera, or accessing stored footage. Meanwhile, CVE-2024-47790 would allow attackers to access the camera’s live feed, undermining the device’s purpose as a security tool.
This level of vulnerability in a widely deployed product, combined with the lack of vendor support, amplifies the risk. Users are highly exposed to privacy breaches, surveillance disruptions, and potentially broader attacks if these cameras are part of a larger security infrastructure.
Unfortunately, as D3D Security IP Camera D8801 has reached its End of Life, the vendor will not be releasing any patches or security updates to address these vulnerabilities. CERT-In’s advisory emphasizes that users should discontinue the use of this product or replace it with a supported security camera to mitigate the risk of unauthorized access.
In their advisory, CERT-In notes: “As per the information provided by the vendor, the product has reached its End of Life (EOL) in January 2024 and is no longer supported by them. It is recommended to discontinue use of the product or replace it with a supported product appropriately.”
