August 24

0 comments

I’m going to retire my Dlink Cameras due to a security risk

By Christopher G Mendla

August 24, 2019


Last Updated on September 28, 2023 by Christopher G Mendla

Unfortunately I will have to retire my Dlink cameras due to a security risk. In order to access my dLink cameras, I need to significantly lower the security settings on my Chrome browser

UPDATE – Aug 2020 – A friend asked about my preferences as far as security cameras I haven’t checked back on dLink since I disconnected them due to them wanting me to lower my security settings for my browsers. I’ve had good results with Arlo and WYZE so I’m staying with those for now.

Security issues

I have a dLink DCS-933L and DCS-936L camera installed in my home. The interface was slow compared to my Arlo and Wyze cameras so I wasn’t using them. 

I installed a Wyze in the room where I had my DSC-933L.  I was going to install the dLink in my garage. When I went to login to my dlink dashboard, it hung on loading. 

Mydlink services plugin (Security issues)
Mydlink services plugin (Security issues)

I tried to install the plugin for the dashboard on Firefox but that failed to install three times.  However, I did see a notice while using Firefox to access dlink that there was an issue with the Chrome Plugin 

Google Chrome v76 loading issue

2019/08/15 21:30

If you are using Chrome v76 or above, please follow the extra steps below after installing the plugin: 1. Launch Google Chrome. Type chrome://flags in the address bar. 2. Type “native client” in the search bar and selecte “Enabled”. 3. Relaunch Chrome.

A risky ‘fix’

Changing settings in your browser can be risky. I did some quick checking and found a discussion on Stack Overflow explaining the risks of enabling the Native Client

Even though an attacker cannot be able to tamper with other tabs, they can probably tamper with websites in the current tab, including possibly simulating events to load other domains into the owned tab. As long as a renderer can cause page transitions, owning any renderer allows you to craft credential (cookie) carrying requests to any domain. This opens all the same holes as XSRF, but possibly with the ability to keylog if the user interacts with the resulting page.

And this from the same thread

 But… beware that if the attacker can take over the renderer process, they can tamper with all web sites (breaching the same-origin policy), since Chrome’s privilege separation does not isolate one web site from another. Therefore, a breach of the NaCl sandbox would be bad

If I don’t accept the insane risk and allow Chrome’s native client to be enabled, then I can’t access my cameras. That leaves me with two crappy paperweights.  I can replace the dlink’s with two $25 Wyze cameras.

Mothballing the dlinks rather than take a security risk

I’ll mothball them for the time being to see if dlink fixes their dashboard so that you can access it without modifying security settings. 

There are two major problems with their “fix”.  

  1. The average non technical user will probably have a hard time following their ‘instructions’.
  2. Following their instructions will arguably decrease the security of your system. 

I will NOT lower the security of my browser in order to use ONE piece of software. I keep Chrome up to date to MINIMIZE my security exposure.

UPDATE – This just gets better. I though I’d give dlink one last chance by trying the Edge browser. What I got was a notice that the Edge Browser was not supported.  You have to be kidding me.  

If they don’t come out with a fix soon, I’m going to re-purpose the cameras by placing them outside as fakes. I can just picture the following dialog between two burglars. 

Burglar #1 “Uh oh, they have cameras”
Burglar #2 “you moron, those are dlinks”

Mydlink camera interface does not support the Edge browser. WTF?  This situation will cause me to retire my Dlink Cameras because of a security Risk.
Mydlink camera interface does not support the Edge browser. WTF?

Summary – The decision to retire my Dlink Cameras due to a security risk.

The two Dlink cameras that I was using were pretty much meeting my needs. However, I just couldn’t accept the risk of lowering the security on my browser. I purchased a Wyze camera and so far that seems to be doing exactly what I need. 

I have my old Dlink Cameras relocated to act as dummy cameras rather than put them in storage or recycle them. In other words, even though they are not powered or connected I mount them around the house in places such as above my shed doors. Even though they aren’t functional, they might provide a bit of a deterrent to someone with bad intent.

Christopher G Mendla

About the author

A web developer living in Southampton, PA

Self motivated critical thinker and problem solver providing technology consulting services.

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}