Cloud-connected D-Link webcams intended to provide security and surveillance for consumers may themselves be vulnerable to hackers, security researchers said this week.
Senrio, a private security firm, announced that it had discovered a remote code execution vulnerability in D-Link's latest firmware version that could affect five cameras in the D-Link product line, including the DCS-930L Network Cloud Camera.
"The vulnerability allows code injection which lets the attacker set a custom password, granting remote access to the camera feed," according to a Senrio blog post. "Thus, even if users create a strong password, this type of exploit can override it. Instead of setting a new password as the exploit, an attacker could just as easily add a new user with administrator access, download firmware or otherwise re-configure this device."
D-Link said in a statement that its engineers have been "working intensively" to address the vulnerability, and it plans to have a patch available by July 15.
Recommended by Our Editors
The flaw affects a legacy protocol that allows its webcams to access the mydlink cloud service, the company said. It has not yet confirmed which webcam models are vulnerable, though it said routers, access points, and modems do not use the protocol and thus are not affected.
It has long been established that consumer webcams are vulnerable to hacking. Live footage from more than 5,000 unsecured webcams showed up on a Russian website in 2014, a year after researchers uncovered a loophole in Apple's iSight system that allowed them to hack into some versions of MacBook laptops and iMac desktops and disable the webcam indicator LED.
The potential for webcams to be hacked even has Facebook CEO Mark Zuckerberg worried—he was recently caught covering his Mac's camera with a piece of tape.