You can download the latest firmware versions from Softpedia

Feb 27, 2014 11:43 GMT  ·  By

D-Link has released firmware updates for several surveillance camera models from the DCS series to address a persistent SSL certificate vulnerability.

The impacted devices are DCS-820L, DCS-930L, DCS-931L, DCS-932L, DCS-933L, DCS-2330L, DCS-2332L, DCS-2136L, DCS-5010L, DCS-and DCS-5020L. According to D-Link, these models have been found to store three SSL certificates used to communicate with the mydlink service and the mobile application.

D-Link says this is an inappropriate implementation, so the company has decided to roll out firmware updates to address the flaw.

The security bug has been reported to D-Link in January by Christopher Schmitt, an information security engineer at Mandiant.

The advisory published earlier this week reveals that the certificates in question are designed to protect communications between the application and the camera. They perform this task as intended. However, the fact that they’re persistent makes the devices vulnerable.

“If a malicious user had managed to get privileged network access, they could potential obtain the cert., intercept, and decrypt the camera control information. After understanding how the camera control functions, further research may result in access to the media-stream functions,” reads the advisory.

D-Link notes that it’s not aware of any attack exploiting this issue. However, the company encourages users to update their device’s firmware since “all feature and services could be affected beyond just mydlink-cloud features.”

You can download the latest firmware for D-Link cameras from Softpedia. Note that the updates have not been released for all the impacted models. The other updates will become available later this month or in March.