Tuesday, 30 October 2018

Consumer Reports finds that D-Link's home camera sends unencrypted video without unique passwords

As part of its ongoing commitment to evaluate information security and privacy when reviewing IoT devices (previously), Consumer Reports has published a scathing review of D-Link's home security camera.

D-Link's DCS-2630L was one of half a dozen cameras evaluated in a process that included consideration of privacy policies, network monitoring, vulnerability analysis -- 50 indicators in total.

Five of the cameras used encrypted transport to send their video to cloud servers; the D-Link stored the video locally and allowed you to stream it, but did not always encrypt these streams, and allowed access to the streams without a unique password.

None of the cameras tested had decent privacy policies that spelled out all the ways your footage would be used; this is particularly disturbing, given that they are meant to run in your home.

Testers at CR haven’t learned of any security breaches as a result of the D-Link problem. But most consumers may never realize they’re vulnerable, says Robert Richter, who leads security and privacy testing in CR’s labs. “It’s like a half-open door to hackers that should be closed,” he says.

In response to a Consumer Reports query, D-Link said that security would be tightened through updates this fall. Consumer Reports will evaluate those updates once they are available. The main security risk is triggered only if the owner decides to view the video through a web browser—you can use the camera more securely by sticking to D-Link's mobile app.

D-Link Camera Poses Data Security Risk, Consumer Reports Finds [Jerry Beilinson/Consumer Reports]

(Thanks, Geoff!)

(Image: Cryteria, CC-BY)