ESET disclosure of DCS‑2132L vulnerabilities

24 June, 2019

Overview:

On May 2, 2019, Cybersecurity company ESET disclosed some vulnerabilities in D-Link’s DCS-2132L that could allow a malicious user to access the camera. D-Link is aware of the reported security issue and has been working diligently to investigate and resolve the issues. Some of the vulnerabilities have already been addressed in the currently available firmware version (available through the mydlink app and here).

D-Link has been working diligently to investigate and resolve the issues disclosed by security company ESET regarding vulnerabilities in our DCS-2132L camera. We are working on a firmware and app update to resolve the following: insufficient cloud messages authentication, unencrypted LAN communication, and old_wpa supplicant version. Please check regularly to make sure you have the latest firmware and app versions.

As for the issue of unencrypted cloud communication, D-Link has determined that the risk is low unless the user’s network, mobile device, or ISP has already been compromised. To mitigate the risks, we strongly encourage our users to do the following:

  1. Use strong wireless encryption and passwords on all your devices
  2. Never connect to untrusted wireless networks
  3. Use good judgement when installing mobile applications; do not install those with unknown or untrusted certificates

Reference:

https://www.welivesecurity.com/2019/05/02/d-link-camera-vulnerability-video-stream/

D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures. Please check the D-Link website for updates.