Consumer Reports Reviews Wireless Home-Security Cameras

Consumer Reports is starting to evaluate the security of IoT devices. As part of that, it's reviewing wireless home-security cameras.

It found significant security vulnerabilities in D-Link cameras:

In contrast, D-Link doesn't store video from the DCS-2630L in the cloud. Instead, the camera has its own, onboard web server, which can deliver video to the user in different ways.

Users can view the video using an app, mydlink Lite. The video is encrypted, and it travels from the camera through D-Link's corporate servers, and ultimately to the user's phone. Users can also access the same encrypted video feed through a company web page, mydlink.com. Those are both secure methods of accessing the video.

But the D-Link camera also lets you bypass the D-Link corporate servers and access the video directly through a web browser on a laptop or other device. If you do this, the web server on the camera doesn't encrypt the video.

If you set up this kind of remote access, the camera and unencrypted video is open to the web. They could be discovered by anyone who finds or guesses the camera's IP address­ -- and if you haven't set a strong password, a hacker might find it easy to gain access.

The real news is that Consumer Reports is able to put pressure on device manufacturers:

In response to a Consumer Reports query, D-Link said that security would be tightened through updates this fall. Consumer Reports will evaluate those updates once they are available.

This is the sort of sustained pressure we need on IoT device manufacturers.

Boing Boing link.

EDITED TO ADD (11/13): In related news, the US Federal Trade Commission is suing D-Link because their routers are so insecure. The lawsuit was filed in January 2017.

Posted on November 7, 2018 at 6:39 AM • 20 Comments

Comments

K.S.November 7, 2018 7:56 AM

"sustained pressure"

While CR work is helpful, I don't see this as anywhere near adequate pressure. IoT is wide open, and both big vendors like D-Link and no-names operations from China equally don't care about security. To make things worse, consumers have no way to differentiate between good (if they exist) and bad actors in this space.

Looking at my laptop power supply, I see no less than 10 various international certifications. I am not an electrical engineer, but I can look at these and reasonably conclude it is not likely to suddenly catch fire and burn my home down. No such thing exists for IoT security.

SteveNovember 7, 2018 8:13 AM

CR has more pressure to bring to manufacturers than people understand.

Heck, anyone who can get Microsoft to do **anything** is almost a GOD in my book. Worked at a Fortune 10 company and we couldn't get MSFT to do anything. For example, we needed better than +/- 5min time accuracy. Never happened.

PhaeteNovember 7, 2018 9:12 AM

"They could be discovered by anyone who finds or guesses the camera's IP address"

Only for the unexperienced; others use Shodan or one of the 15 year old google hacks to find open webcams.

The fact that this is a problem since the earliest networked webcams shows how important the industry thinks this issue is.

DMNovember 7, 2018 9:48 AM

The US FTC is suing D-Link:

> The US Federal Trade Commission (FTC) brought its lawsuit against
> Taiwanese D-Link early last year in California, and in doing so griped
> about a host of alleged bad practices, including hard-coded passwords,
> command-injection vulnerabilities, misplaced security keys, and plaintext
> password storage in D-Link's gear. These, the watchdog claimed, amounted
> to misrepresentation by a company that touted the advanced security of its
> products, and thus put buyers at risk.

https://www.theregister.co.uk/2018/11/06/dlink_ftc_denied/

The lawsuit was filed in January 2017:

https://www.theverge.com/2017/1/7/14199232/ftc-sued-d-link-unsecure-routers-webcams-cybersecurity
https://www.ftc.gov/news-events/press-releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequate

TexasDexNovember 7, 2018 9:56 AM

I haven't gotten the impression that CR has a crack pentest team, so the fact that they were able to find vulnerabilities makes me think D-Link's security is pretty bad. Or maybe CR has gotten better?

MikeANovember 7, 2018 10:40 AM

@K.S. The presence of apparent "International Certification" logos means nothing more than that the manufacturer was able to find an injection molding company willing to mold those into the case. Not to mention that a fair number of certification standards are like the old wired-phone one, where the phone had to operate to certain specs, and to withstand a surge of a certain magnitude without bursting into flame, but was not required to be more than a melted (albeit not charred) lump after the second test (and of course it was the second test). Or the RF emissions tests for computers (even after they got the FCC to back _way_ down on the requirements). Easy-peasy: run the tests with "Spread Spectrum Clocks" on, then turn them off because reliability with them on was crap. Fortunately(?), they were controlled by a simple BIOS option, and defaulted off. VW has nothing on computer manufacturers.

Reliability and security will remain crap until independent testing orgs are widely read, and the market responds. Regulation without enforcement is just wanking, and I fully expect the I.T. equivalent of "food libel" laws to crack down on honest reporting in 3.2.1...

Impossibly StupidNovember 7, 2018 10:43 AM

I'm not sure I can trust CR's technical competence when they say things like:

doesn't store video ... in the cloud

and then immediately say:

travels ... through D-Link's corporate servers

They may offer other ways to get the video, but that doesn't mean they don't want to gobble it up like every other company eager to sell out their users (i.e., it isn't clear what the default setting is).

It also isn't clear if the videos they think are secured are because HTTPS is visibly used when accessing it online. It may very well be that, like the D-Link, the videos aren't using encryption when copying from the camera. It's also not very reassuring when the focus seems to be mainly transport level security. If the videos themselves are not encrypted end-to-end, you're just one big hack away (or one untrustworthy employee) from having them all exposed online.

Maybe their full report covers all that in detail, but their publicity article is dumbed down to the point where it undermines their credibility.

ZedNovember 7, 2018 10:46 AM

Although I tend not to put a lot of reliance on CR reviewing of technical stuff (especially security), because of the consumer focus, the fact that they've been able to get movement out of a vendor is impressive.

Although the effect may be uneven (as noted by the comment by the person who indicates that a Fortune 10 company can't get a response out of Microsoft), this one is indicative that there is at least some leverage in the name-and-shame game that Bruce mentioned a few weeks ago: https://www.schneier.com/blog/archives/2018/09/public_shaming_.html

Clive RobinsonNovember 7, 2018 12:25 PM

A fundemental assuption of economics is that markets are open thus all can see the market clearly.

As we know from practical experience markets are anything but open. Information that a customer needs to make an informed choice is quite deliberatly and with the help of lobbied for legislation witheld from the consumer. Even when information is in theory available, it's hidden away behind complex virtually un-navigable language, menus, and other "designed to mislead" systems, not least the old TOCs and EULAs inside the package that you can not read untill you have purchased the product, that you then can not return because you don't like the legalise.

Thus reports from consumer organisations help a small way to redress this balance.

Whilst that is good it might be better and faster if the law was changed so that software and the hardware it runs on are actually "real purchases" not "faux leases" with the likes of "Right to repair/modify", etc properly codified in law. Heck even ensuring "The First Sale Doctorine" (17 U.S.C. § 109) for non physical purchases worked would be a start.

But what I would most like to see is all forms of lobbying with transfer of goods, services or tokens of exchange including future employment etc be treated in the same way as the US regards similar "inducments" by companies to make sales. That way there might be a slightly improved chance of getting legislation that favoured the citizen over the corporate. Which then might actually alow for "Open Market Knowledge"...

TimothyNovember 7, 2018 1:08 PM

DM wrote above:

The US FTC is suing D-Link

Per an article DM posted, the FTC's case will go to trial starting January 14, 2019.

During the October 2018 Senate hearing "Consumer Data Privacy: Examining Lessons From the European Union’s General Data Protection Regulation and the California Consumer Privacy Act" several witnesses urged Congress to consider giving greater authorities to the FTC and state attorneys general to enforce current and/or new privacy and security laws.

I'm grateful that Consumer Reports is working to educate and protect consumers under the current limited regulatory regime.

FaustusNovember 7, 2018 1:19 PM

There is no good way to create a private certificate for a local web server off an IoT device. Even if you could create one and install it there will be all sorts of browser warnings.

This leads IoT manufacturers to use unencrypted connections when the client doesn't access the data through them (in which case they can use their official certs).

We really need a protocol that allows customers to initiate encrypted connections based on (dare I say the blasphemy?) shared passwords. Enter a password in the server and use it or something derived from it as the password in the browser. Simple.

As it is our password prudery is just leading to unencrypted sessions. A password protected encrypted session is better than no encryption at all. A lot better.

TLS-SRP whenNovember 7, 2018 1:33 PM

I don't see how the problem is with D-Link here. You cannot use HTTPS on a LAN without having technical experience on how to assign a domain name to your camera and either obtaining a certificate from a trusted CA or creating your own and configuring your device to trust it.

If the camera use a self-signed certificate, then browsers will scare away any user attempting to access it, even if it is more secure than HTTP.

And the manufacturer should definitely not give out certificates to any camera requesting it, because i could just buy a camera from the same brand and arrange to extract the private key and essentially compromise the CA.

This sucks. PAKE could be used to secure that, but no browsers want to implement it.

Snarki, child of LokiNovember 7, 2018 7:46 PM

Every D-Link product I've dealt with (cameras, network cards, etc) has been utter unreliable CRAP.

So their security problems don't affect me, because I'll NEVER use their stuff again.

65535November 7, 2018 10:49 PM

@ Nombre No Importante

“Has Mudge's CyberUL started putting out reports yet?”

The cyberUL looked like a good thing.

I thought Mudge had switched jobs to google.

“In 2013 Mudge went to work for Google in their Advanced Technology & Projects division…”- Wikipedia

I doubt if Mudge will doing anything positive while working for the biggest data mining company in the USA. But, who knows maybe it will happen.

K.S.November 8, 2018 8:43 AM

@Faustus
"There is no good way to create a private certificate for a local web server off an IoT device."

Correction - there is no good way to do it cheaply. However, I agree, browsers should be more lenient in cases of self-signed certificates and should be able to pin them by default.

Default behavior/warning along the following lines:

"You are accessing a web site that doesn't offer independent confirmation of its identity. If this is public website, we recommend you do not accept certificate as it is unsafe to do so. If you are accessing a device that you control, please verify signature prior to accepting certificate.

MD5 hash"

Clive RobinsonNovember 8, 2018 7:29 PM

@ K.s., Faustus,

However, I agree, browsers should be more lenient in cases of self-signed certificates and should be able to pin them by default.

Remember "technology is agnostic to use" amd that "It's the Directing mind that decides good or bad use".

I can see the rudiments of how you might go about abusing such a process both technically and by social engineering.

Or to put it another way, nearly all cheap high bandwidth IoT devices come with what in earlier times would have been considered malware. It would be nice if we could say they were all "No name Chinese manufacturered" but we can not, because some more reputable names have also jumped into what is effectively the "collect it all game".

The question is "why?" and the answer turns out to be run away marketing "featurism". One manufactuter offers a very insecure but "neat" feature, and the next copies it and around it goes, at each turn the feature gets less securely implemented to "get it out the door".

It's long been known that consumers tend to "buy into specmanship" that is the more "green ticks" and less "red ticks" in those "feature comparison charts" you get with "product round up reviews" the more product that will get sold. Thus markiting departments actuall invent new "features" just to get a green tick the other products will have red crosses for...

Whilst most people will say "that's a stupid way" to make a purchasing decision, most of us fall for it one way or another.

Now not wishing to be nasty but when it comes to security "Stupid is as Stupid does". It does not take a master mind to work out that there are two effects of featurism on a product,

1, Much increased complexity (code, standards, protocols, interactions).
2, Much reduced testing per feature.

Thus the likelihood that product security will be "adversly effected" by each additional feature is quite high.

Those of us old enough to have been in more experienced positions back in the 1980's and 1990's can remember all of these problems with the likes of MicroSoft and other major vendors. It was a "train wreak" market racing to the bottom. It got so bad that even Bill Gates acknowledged that it was bad and syarted making changes to MicroSoft's production methods.

Whilst we are seeing the same "featurism" in IoT, Smart Devices, etc what we don't have is a dominant player who can force a change in the market. As others have noted on this blog "security does not sell" for various reasons with "featurism" or "Specmanship" being quite high on the list.

If we make "being insecure" easier in web browsers to cater for "insecure devices" then it's guaranteed that we will see a decrease in security not just for those doing the "Stupid is as Stupid does" but everyone else as well. That is whilst a rising tide lifts all boats, the reverse is even more true "A falling tide Sinks all ships" in a Titanic way.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.