Home Security Cameras From Top Brands Lack Basic Digital Security Measures
Many models don’t offer two-factor authentication or robust privacy policies, Consumer Reports finds
You buy a security camera to keep your home safe, but is your camera keeping your privacy and data safe? CR’s Digital Lab evaluates digital products and services for how well they protect consumers’ privacy and security.
After six weeks of testing that included evaluating more than 70 privacy and security criteria on 26 cameras, our experts found that nine security-camera brands—Blue by ADT, Canary, D-Link, Eufy, Honeywell Home, Logitech, Toucan, TP-Link, and Zmodo—still lack two-factor authentication, a more stringent security measure than using just a single password to log in.
There’s no good excuse for not offering it. “Two-factor authentication is an easy-to-implement second layer of authentication that, when enabled, can stop some hackers’ attacks immediately, protecting users' accounts,” says Cody Feng, CR's test engineer for privacy and security. Many manufacturers’ privacy policies also do a poor job of detailing exactly how they use the data from their customers’ cameras.
Two-factor authentication helps prevent cameras from being hacked by sending users a temporary, one-time passcode via text message, email, or phone to use in addition to their password for logging into their accounts. It’s a safeguard against credential stuffing, a tactic where hackers use usernames and passwords from data breaches to log into accounts.
Tougher Privacy and Security Tests
This year, CR weighed 10 key criteria more heavily than in the past. “We believe these are essential for consumer protection,” says Maria Rerecich, the senior director of product testing at CR.
These security measures include two-factor authentication, automatic software updates, a visual indicator light that lets you know the camera is active, and email notifications for when a user logs in from a new device or IP address.
Many brands do a good job of adopting these security measures, and most earn a Very Good rating for data security in our tests. But there is definitely room for improvement.
For data privacy, we examine privacy policies and other documentation to see whether manufacturers disclose how they collect your data, who they share your data with, whether they attempt to minimize data collection, and whether consumers have a way to request copies of their data or ask for it to be deleted.
“Our evaluation for data privacy leans heavily on companies explicitly stating how they are using, storing, and sharing consumers' data,” says Rerecich. “Since wireless security cameras capture and transmit sensitive data from inside a consumer's home, we have adjusted our scoring methodology to more accurately reflect the shortcomings of these privacy policies.”
As a result of our scoring change, no camera model now receives a data privacy rating higher than Good, which is the middle of our ratings scale.
The Gaps in Two-Factor Authentication
Consumer Reports reached out to the nine brands that don’t offer two-factor authentication and asked if and when they plan to implement it. We received responses from these seven companies:
• Blue by ADT will add multifactor authentication before the end of the year.
• Canary will add it soon.
• D-Link is planning to add the feature to its mobile app before Christmas 2020.
• Eufy is starting to deploy two-factor authentication in the U.S. now.
• Honeywell Home is looking into ways to add it.
• Logitech says the feature is being “actively developed.”
• TP-Link is “targeting” a release for the feature in Q4.
The cameras in our ratings that currently offer two-factor authentication are made by Amazon, Arlo, Blink, Google Nest, Ring, Samsung SmartThings, and Wyze. At the time of our tests, none of the cameras—except Samsung SmartThings—prompted you to enable the security feature. Rather, the feature was buried in the camera app’s settings.
But both Blink and Ring have since made changes to the feature so that now, both, along with Samsung, have two-factor authentication via email by default, which CR would like to see all brands do. Additionally, Samsung is the only company that prompts users to enable two-factor authentication via text message (which we consider better for the user) when they set up a camera.
“We’re glad to see these companies provide an extra layer of protection, and we hope more companies follow their lead,” says Feng.
Though many of the cameras lacked two-factor authentication, most offered a number of the other nine security features we looked for in our tests. As a result, most of the 26 models we evaluated receive a Very Good rating for data security.
There are two standouts: Arlo and, again, Samsung SmartThings. Models from both brands receive an Excellent rating for digital security. Google Nest cameras earn a Very Good rating, a drop from their Excellent rating last year, due to CR’s tougher data security scoring.
Poor Privacy Policies
We also rate how well companies’ stated privacy policies protect consumers.
Eight companies earned a Good rating, the highest score any company received. Of those, Google Nest stood out for doing the best job disclosing what user data it shares and with whom, though it doesn’t offer good tools for obtaining and deleting your data, nor does it try to minimize data collection.
Top Cameras From CR’s Tests
These are the top six wireless security cameras from our ratings. All offer strong data security and good data privacy, as well as impeccable video quality.
For more ratings and reviews of more models, check our wireless security camera ratings and buying guide.
Clarification: This article has been updated with information about D-Link's plans to implement two-factor authentication and information on brands that have started offering two-factor authentication by default since we conducted our tests.