Under some circumstances, a wireless home security camera made by D-Link can transmit unencrypted video across the web, a Consumer Reports investigation has found. That could allow the video to be accessed by strangers.
The D-Link DCS-2630L was one of six wireless home security cameras recently evaluated for data security and privacy by Consumer Reports. We also tested the cameras for ease-of-use, video quality, and other factors important for making a buying decision.
Testers at CR haven’t learned of any security breaches as a result of the D-Link problem. But most consumers may never realize they’re vulnerable, says Robert Richter, who leads security and privacy testing in CR’s labs. “It’s like a half-open door to hackers that should be closed,” he says.
Charging It, Installing It, Protecting It
In response to a Consumer Reports query, D-Link said that security would be tightened through updates this fall. Consumer Reports will evaluate those updates once they are available. The main security risk is triggered only if the owner decides to view the video through a web browser—you can use the camera more securely by sticking to D-Link's mobile app.
Why We Test Home Security Cameras
“People like smart devices, and some of their favorites are home-security cameras,” Maria Rerecich, who leads CR’s electronics testing, says. According to a recent nationally representative survey of 1,067 American adults conducted by Consumer Reports, two-thirds of Americans believe internet-connected security gadgets would be worthwhile in their home—but many people have worries, too.
Eighty-seven percent of Americans are at least somewhat concerned about potential security issues with internet-connected smart devices—like hackers accessing a WiFi camera.
Additionally, 83 percent are at least somewhat worried about privacy—even if hackers aren’t watching, could the camera company be viewing the videos?
“Consumers need better information to make their buying decisions,” Rerecich say. “These devices can collect a lot of data—more than smart speakers or most other connected products. But it's difficult for consumers to judge them on security and privacy.”
When Mark Zavislak was shopping for a wireless security camera for his home a few years ago, he found few reviews, and no way to know how well the products handled security and privacy
The couple ended up buying a Nest camera, and they've been happy with the purchase. It's easy to use, and it lets the couple keep an eye on their dog—yep, still asleep on the couch—and any potential intruders.
However, Zavislak says, “Privacy does cross my mind. We take it really seriously that there’s a video camera in our home.”
For important discussions about money or family matters, Zavislak and his wife unplug the camera or go into another room. “I’m very aware that the video is being uploaded to a server somewhere,” Zavislak, who is a software engineer in Southern California, says. “If it can be coded, it can be hacked.”
The Digital Standard
Consumer Reports based the new test protocols on the Digital Standard, an open-source set of criteria for evaluating digital products and services. The Digital Standard covers several aspects of data privacy, such as how much information companies collect about their users, who they share it with, and how much control they give consumers. It also addresses security against hackers and malware, and other consumer concerns with connected devices and online services.
Testers spent weeks using the new protocols to evaluate wireless home security cameras from Amazon, Arlo, Canary, D-Link, and Nest (two models).
Our team read hundreds of pages of privacy policies. We used network analysis and vulnerability analysis tools to see if video feeds were protected by encryption and equipped to resist attacks. We checked whether previously identified vulnerabilities had been fixed. We noted which cameras require users to choose strong passwords. In all, we looked at more than 50 different indicators to come up with our privacy and security scores.
Then, we combined those findings with ratings of convenience features, ease of set-up, and other factors to arrive at the overall scores published in our ratings chart.
We’ve previously tapped into the Digital Standard to evaluate smart TVs and and peer-to-peer payment apps, but wireless home security cameras are the first products where privacy and security are being integrated into routine, ongoing testing. (More categories will be coming soon.)
Detailed Security Findings
All the wireless home security cameras we tested had mixed results for both security and privacy.
All of the cameras, other than D-Link, store video footage on their manufacturers’ corporate servers. The video is sent through secure, encrypted connections—from the camera to the cloud, and from there to the user’s smartphone app.
In contrast, D-Link doesn't store video from these security cams in the cloud. Instead, the camera has its own, onboard web server, which can deliver video to the user in two different ways.
Most users will probably view the video using an app, mydlink Lite. The video is encrypted, and it travels from the camera through D-Link’s corporate servers, and ultimately to the user’s phone.
But the D-Link DCS-2630L also lets you bypass the app and access the video directly through a web browser on a laptop or other device, whether you’re at home, at work, or on vacation. The web server doesn’t encrypt the data going to your laptop, and it doesn’t require a unique password to operate.
If you set up remote web access, the camera could be discovered by anyone who finds or guesses the camera’s IP address—and if you haven't changed the default password, a hacker might find it easy to gain access.
A very sophisticated user could secure the video feed by setting up an encrypted channel (HTTPS) from the camera, Richter says. But it’s not just a matter of flipping some switches. “If you really know what you’re doing you can make this camera keep your data secure,” he says. “But the default set-up doesn’t do that.”
Even if you stick to the D-Link app—never setting up a remote web connection—testers say the camera might be relatively insecure against malware or hackers if they gained access to your WiFi network.
And that contributes to a potential security problem that faces everyone as more devices connect to the internet.
In 2016, a massive attack temporarily crippled parts of the internet after malware called Mirai quietly infiltrated internet-of-things (IoT) devices such as security cameras. The malware combined the devices into a botnet, which was directed to attack websites and internet infrastructure. Botnets can be used for other criminal activity, too.
How this kind of malware spreads is an area of active research among security experts, Richter says, but default passwords and poor design in how IoT devices connect to the web are part of the problem.
“Every insecure device gives an attacker more surface area to potentially exploit,” he says. “Properly protected devices in individuals’ homes can make everyone less susceptible to malicious hacking.”
Detailed Privacy Findings
Consumer Reports found less dramatic differences among the cameras when we looked at privacy. This part of the evaluation was conducted by analyzing privacy policies, terms of service, and other publicly available documents setting out how each company handles consumer data.
“Video inside the home is very sensitive stuff, and the companies involved seem to have more incentive to be careful, compared to some other digital products,” says Justin Brookman, the director of privacy and security policy for Consumers Union, the advocacy division of Consumer Reports.
For instance, all of the camera makers state that they don’t share video feeds with business partners or other outside companies.
However, the companies weren’t equally transparent about whether they use the data for other purposes, anything from perfecting facial recognition software today, to nudging you to replace stained carpeting sometime in the future.
“I’d like to see companies be more clear that they’re not using your video feeds for potentially unwanted secondary purposes," Brookman says. "They should be doing cloud storage and not much else.”