D-Link DCS-2360L camera unencrypted video

This D-Link Camera Has a Huge Security Flaw, According to Consumer Reports

Internet-enabled and IoT devices have made it possible to deploy a custom home security system. One can purchase many wireless security cameras, sensors and motion detectors and install them around their home or property.

The beauty of a DIY system is that you do not need to purchase or set aside funds for a monthly subscription — at least not if you don’t want to. Many smart home cameras offer some form of cloud monitoring and additional support, but it’s not a requirement for using the devices. You could just as easily store the video content locally and browse it on your own time. The data streams can also be monitored remotely via a mobile device, web connection or similar setup.

Of course, having a device or platform connected to the open internet does pose several risks and vulnerabilities. An internet-connected baby monitor, for instance, could have its wireless signal hijacked. Suddenly, that live video stream of your child’s nursery goes from being something useful and safe to something dangerous.

It happens more often than you might realize. According to Consumer Reports, that’s exactly the case with a wireless home security camera manufactured and sold by D-Link.

During their investigation, the CR team tested a total of six different wireless home security cameras to see just how secure they are. It turns out, the D-Link DCS-263L transmits unencrypted video across the web. If someone gains access to the stream, they can see everything the camera does.

Other brands involved include Amazon, Arlo, Canary and a couple of Nest models. While the other cameras did have mixed results in regards to security and privacy, the D-Link camera was the only one transmitting unencrypted video.

How Is the D-Link DCS-263L Camera Vulnerable?

Just stating that the D-Link DCS-263L camera is vulnerable is not a good explanation of what’s going on. You see, like the other brands, D-Link’s camera does take advantage of a cloud service, where the video is transmitted to corporate servers. The data being shared is protected by a secure encryption and much less vulnerable.

A unique feature of the DCS-263L model is the culprit. With D-Link’s camera, you can enable remote viewing access for web browsers. Activating this essentially bypasses the corporate servers, establishing a local web server on the camera itself. In turn, the video content being transmitted and stored is not encrypted.

So, if a hacker or stranger is able to discern the IP address of the camera, they could easily connect and view the live feed. You do have to set a password to enable remote access, which offers some degree of protection. However, if you were to use anything other than a strong password, your system remains vulnerable.

And while there have been no public reports about a D-Link camera being attacked, that doesn’t mean it won’t and will not happen eventually.

The Mirai botnet that infested the interwebs back in 2016 was able to infiltrate a number of IoT devices, including security cameras. It was a particularly heinous form of malware that turned any infected machines into a node as part of a botnet. Collectively, that network of unsecured devices was used to attack alternate websites and a variety of infrastructures including corporate networks. Distributed Denial of Service (DDOS) attacks were often leveraged using the Mirai botnet.

This shows that even if a security camera or content feed is not scooped up and used to spy on individuals, the device itself can be leveraged for nefarious deeds — just like those infected by Mirai. It also serves as proof that this has happened before and most likely will happen again.

So, why would anyone want home security devices then, especially security cameras?

A security system — cameras and all — is an excellent deterrent for preventing burglaries and robberies. Around 83 percent of burglars say they will case a home to see if an alarm is present before attempting a theft. Only 13 percent revealed they would go forward with their plans if a security system was discovered. It makes sense then why anyone would be keen on installing their own security solutions, many of which tend to offer convenient remote access and controls.

That said, there must be a way to protect these systems from outside influence and attacks.

What’s the Solution?

Obviously, the answer is not to swear off these technologies and devices completely. They do have their uses, and there are many benefits to installing home security equipment, even the IoT and internet-enabled kind.

The best solution is, of course, to follow safe and appropriate security protocols. Don’t use stock passwords and usernames for the devices and systems. Always change to custom login details, and use strong passwords that incorporate a mix of numbers, upper and lowercase letters and symbols.

Furthermore, avoid sharing access to your devices and network with people you do not trust. When you do provide access, do not allow anyone direct control. There are usually administrative tools to ensure those connected to your network cannot make configuration changes or access secure hardware such as your router.

Regularly check with your devices and systems to see who is accessing them, and how they are being used. Many IoT systems include a performance or status log that reveals connection and usage details.

You may also use Shodan, “the world’s most dangerous search engine” to find internet-connected devices that are easily accessed by outsiders. It allows you to see just how vulnerable your smart home and IoT devices actually are.

By applying these measures, you can ensure that your network, devices, and family are as safe as possible. There are no guarantees a cyber-attack will never happen, but following these tips can decrease the likelihood.

Scroll to Top