This wireless security camera has a serious hijacking flaw

Click here to view original web page at www.komando.com
This wireless security camera has a serious hijacking flaw

Web-connected cameras can be great security and monitoring tools that can keep your home safe. With a smartphone or a computer, these cameras allow you to view their live feeds over the internet, essential for home security, surveillance or for keeping an eye on children or pets.

But as we approach the age of these Internet of Things hacks, what if these webcams, that are supposed to make you feel safe and secure, have security holes themselves? What if someone can turn these cameras against you, and in turn, invade your own privacy?

That's precisely what a new report has revealed. One of these flawed cameras may even be in your home right now!

This wireless camera lacks proper security

Consumer Reports just published its findings about the state of security and privacy of six wireless home security cameras from Amazon, Arlo, Canary, D-Link and Nest (two models). Among all the security cameras it reviewed, one particular model stood out, mainly because of a big glaring security flaw.

Based on CR's evaluation, the D-Link DCS-2630L camera can transmit unencrypted video feeds over the web. This means it can potentially grant unauthorized parties access to its footage.

How so? Well, unlike the other cameras that store their footage on their respective manufacturer's secure and encrypted cloud servers, the D-Link DCS-2630L stores its footage locally in its own built-in web server.

D-Link DCS-2630L

See, there are two ways to access the D-Link DCS-2630L's footage. First, users can access the video securely via D-Link's official app called "mydlink Lite." With this method, the video is actually encrypted while it's being sent to D-Link's cloud servers then back to the smartphone app for viewing.

However, the second method bypasses the app completely as it allows you to access the camera's footage directly through a web browser interface. The problem is that the camera's local web server doesn't encrypt the data nor does it require a unique password for access.

This means that if you enabled this camera's remote access feature, anyone who can track and search for its public IP address can access its feed if you haven't bothered to change its default password.

Thankfully, CR said that there is no evidence that of security breaches on account of this particular D-Link camera weakness.

Got a security camera? Change the default password!

This issue is actually a common problem with security cameras. Many people don't realize that they also typically have web interfaces for remote access. The problem is that these usually ship with default credentials that are the same across all units.

Despite numerous warnings, most consumers and businesses still never bother changing their smart appliance or Internet-of-Things gadget's default credentials after purchase.

If you have a connected camera (or any smart appliance, for that matter), it is important that you change the default administrator username and password.

Do this by accessing the appliance's hub (usually through a webpage or a smartphone app). If your smart appliance connects via the manufacturer's website, make sure your password for their site is complex and unique.

Check for firmware updates regularly

In response, D-Link has informed CR that the D-Link DCS-2630L camera will receive updates this fall to tighten up its security.

Since the risk only exists in cameras where the user enables remote access via a web browser, maybe D-Link will disable this remote viewing feature permanently and route all traffic through its secure servers moving forward.

In fact, the company has already announced that it has released a web portal update to mitigate the issue.

D-Link is also planning on releasing the following firmware versions to resolve the remaining issues:

  • Firmware version 1.05 - (mid-November) for Denial of Service, CSRF Protection, and Profiling
  • Firmware version 1.06 - (late December) to strengthen Authentication and Password

How to update the DCS-2630L camera's firmware

If you own this camera, keep your eye out for these firmware versions. It's good practice to check for firmware updates regularly, anyway. Here's how to update the DCS-2630L camera's firmware:

  1. Go to the D-Link's official support page
  2. Download and save the latest firmware version on your computer's hard drive.
  3. Access the camera's web interface via a web browser, navigate to the "Maintenance" tab >> "Firmware Upgrade"
  4. Click the "Browse" button to locate the file.
  5. Click "Upload" to start the firmware upgrade process.

As evidenced by these repeated camera flaws and vulnerabilities, in this increasingly connected world, it goes without saying the more our homes become "smarter," the more we have to be smarter about our homes.

Turning your house into a smart home is exciting but be careful! Listen to my Komando On Demand podcast to learn how to watch for the warning signs so technology doesn't take over your home.

iPhones, Macs and iPads vulnerable to the 'Ping of Death' flaw

We all know our devices can be hacked or shut off if someone is skilled enough to know how to. But, rarely do we see a specific hack for individual brands such as the one that security researcher Kevin Backhouse discovered recently for Apple devices. This hack allows the culprit to completely crash your device just by being connected to the same Wi-Fi. Good news is, there is a way to protect yourself. I'll show you how.

Tap or click to learn more about this hack and how to protect yourself.

Leave a Reply

Your email address will not be published. Required fields are marked *