D-Link Camera Poses Data Security Risk, Consumer Reports Finds
Test of wireless home security cameras also includes Amazon, Arlo, Canary, and Nest models
Under some circumstances, a wireless home security camera made by D-Link can transmit unencrypted video across the web, a Consumer Reports investigation has found. That could allow the video to be accessed by strangers.
The D-Link DCS-2630L was one of six wireless home security cameras recently evaluated for data security and privacy by Consumer Reports. We also tested the cameras for ease-of-use, video quality, and other factors important for making a buying decision.
Testers at CR haven’t learned of any security breaches as a result of the D-Link problem. But most consumers may never realize they’re vulnerable, says Robert Richter, who leads security and privacy testing in CR’s labs. “It’s like a half-open door to hackers that should be closed,” he says.
In response to a Consumer Reports query, D-Link said that security would be tightened through updates this fall. Consumer Reports will evaluate those updates once they are available. The main security risk is triggered only if the owner decides to view the video through a web browser—you can use the camera more securely by sticking to D-Link's mobile app.
Why We Test Home Security Cameras
“People like smart devices, and some of their favorites are home-security cameras,” Maria Rerecich, who leads CR’s electronics testing, says. According to a recent nationally representative survey of 1,067 American adults conducted by Consumer Reports, two-thirds of Americans believe internet-connected security gadgets would be worthwhile in their home—but many people have worries, too.
The Digital Standard
Consumer Reports based the new test protocols on the Digital Standard, an open-source set of criteria for evaluating digital products and services. The Digital Standard covers several aspects of data privacy, such as how much information companies collect about their users, who they share it with, and how much control they give consumers. It also addresses security against hackers and malware, and other consumer concerns with connected devices and online services.
Testers spent weeks using the new protocols to evaluate wireless home security cameras from Amazon, Arlo, Canary, D-Link, and Nest (two models).
Our team read hundreds of pages of privacy policies. We used network analysis and vulnerability analysis tools to see if video feeds were protected by encryption and equipped to resist attacks. We checked whether previously identified vulnerabilities had been fixed. We noted which cameras require users to choose strong passwords. In all, we looked at more than 50 different indicators to come up with our privacy and security scores.
Then, we combined those findings with ratings of convenience features, ease of set-up, and other factors to arrive at the overall scores published in our ratings chart.
We’ve previously tapped into the Digital Standard to evaluate smart TVs and and peer-to-peer payment apps, but wireless home security cameras are the first products where privacy and security are being integrated into routine, ongoing testing. (More categories will be coming soon.)
Detailed Security Findings
The wireless home security cameras we tested had mixed results for both security and privacy.
All of the cameras, other than D-Link, store video footage on their manufacturers’ corporate servers. The video is sent through secure, encrypted connections from the camera to the cloud, and then on to the user. You can watch the video on a smartphone app or a password-protected web page, which are both maintained by the manufacturer.
We gave cameras good marks on security for that method of handling user video.
In contrast, D-Link doesn't store video from the DCS-2630L in the cloud. Instead, the camera has its own, onboard web server, which can deliver video to the user in different ways.
Users can view the video using an app, mydlink Lite. The video is encrypted, and it travels from the camera through D-Link’s corporate servers, and ultimately to the user’s phone. Users can also access the same encrypted video feed through a company web page, mydlink.com. Those are both secure methods of accessing the video.
But the D-Link camera also lets you bypass the D-Link corporate servers and access the video directly through a web browser on a laptop or other device. If you do this, the web server on the camera doesn’t encrypt the video.
If you set up this kind of remote access, the camera and unencrypted video is open to the web. They could be discovered by anyone who finds or guesses the camera’s IP address—and if you haven't set a strong password, a hacker might find it easy to gain access.
A very sophisticated user could secure the video feed by setting up an encrypted channel (HTTPS) from the camera, Richter says. But it’s not just a matter of flipping some switches. “If you really know what you’re doing you can make this camera keep your data secure,” he says. “But the default set-up doesn’t do that.”
Even if you stick to the D-Link app and official web page—never setting up your own remote web connection—testers say the camera might be relatively insecure against malware or hackers if they gained access to your WiFi network.
And that contributes to a potential security problem that faces everyone as more devices connect to the internet.
In 2016, a massive attack temporarily crippled parts of the internet after malware called Mirai quietly infiltrated internet-of-things (IoT) devices such as security cameras. The malware combined the devices into a botnet, which was directed to attack websites and internet infrastructure. Botnets can be used for other criminal activity, too.
How this kind of malware spreads is an area of active research among security experts, Richter says, but default passwords and poor design in how IoT devices connect to the web are part of the problem.
“Every insecure device gives an attacker more surface area to potentially exploit,” he says. “Properly protected devices in individuals’ homes can make everyone less susceptible to malicious hacking.”
Detailed Privacy Findings
Consumer Reports found less dramatic differences among the cameras when we looked at privacy. This part of the evaluation was conducted by analyzing privacy policies, terms of service, and other publicly available documents setting out how each company handles consumer data.
“Video inside the home is very sensitive stuff, and the companies involved seem to have more incentive to be careful, compared to some other digital products,” says Justin Brookman, the director of privacy and security policy for Consumers Union, the advocacy division of Consumer Reports.
For instance, all of the camera makers state that they don’t share video feeds with business partners or other outside companies.
However, the companies weren’t equally transparent about whether they use the data for other purposes, anything from perfecting facial recognition software today, to nudging you to replace stained carpeting sometime in the future.
“I’d like to see companies be more clear that they’re not using your video feeds for potentially unwanted secondary purposes," Brookman says. "They should be doing cloud storage and not much else.”
Editor's Note: This article has been updated with additional details on how owners of the home security cameras CR tested can safely view their video feeds. Mobile apps and web pages maintained directly by manufacturers, including D-Link, use secure, encrypted connections.
Passwords & Firmware 101
Online privacy and security are huge issues facing a lot of people today. On the "Consumer 101" TV show, Consumer Reports expert Maria Rerecich explains why it's not just phones and computers that people should be concerned about.