In the process of researching vulnerabilities in these devices, the researcher also found a NAS (network-attached storage) device from D-Link that he believes is also vulnerable. "All vulnerabilities that apply to the network video recorders also apply to this NAS device," Jogi said.
"Security is of the utmost importance to D-Link across all product lines, including storage, surveillance, networking and entertainment solutions," D-Link said Wednesday in an emailed statement. "After being alerted to the vulnerabilities in the DNR-322L and DNR-326, D-Link worked quickly and diligently to create a patched firmware update for the affected devices."
"At this stage, D-Link has not been contacted or received any information regarding the potential existence of this issue in D-Link NAS devices and there is no indication that any other storage devices are impacted," the company said. "D-Link's engineers are thoroughly checking to verify that this is indeed the case."
Using the SHODAN search engine, the Qualys researcher was able to find over 16,000 D-Link NAS and NVR devices connected to the Internet. He used the vulnerabilities to access one of them and it proved to be an NVR from a casino in Ukraine.
NVR devices are used by organizations including libraries, hospitals and other businesses to monitor their premises for security purposes, Jogi said. However, what many people don't realize is that such devices can have vulnerabilities that expose them to remote spying.
The risk is not limited to D-Link devices. Other researchers have previously found vulnerabilities in NVR devices from different vendors, Jogi said.
Sign up for Computerworld eNewsletters.