I’m going to retire my Dlink Cameras due to a security risk
In order to access my dLink cameras, I need to significantly lower the security settings on my Chrome browser
I have a dLink DCS-933L and DCS-936L camera installed in my home. The interface was slow compared to my Arlo and Wyze cameras so I wasn’t using them.
I installed a Wyze in the room where I had my DSC-933L. I was going to install the dLink in my garage. When I went to login to my dlink dashboard, it hung on loading.
I tried to install the plugin for the dashboard on Firefox but that failed to install three times. However, I did see a notice while using Firefox to access dlink that there was an issue with the Chrome Plugin
Google Chrome v76 loading issue
If you are using Chrome v76 or above, please follow the extra steps below after installing the plugin: 1. Launch Google Chrome. Type chrome://flags in the address bar. 2. Type “native client” in the search bar and selecte “Enabled”. 3. Relaunch Chrome.
Changing settings in your browser can be risky. I did some quick checking and found a discussion on Stack Overflow explaining the risks of enabling the Native Client.
Even though an attacker cannot be able to tamper with other tabs, they can probably tamper with websites in the current tab, including possibly simulating events to load other domains into the owned tab. As long as a renderer can cause page transitions, owning any renderer allows you to craft credential (cookie) carrying requests to any domain. This opens all the same holes as XSRF, but possibly with the ability to keylog if the user interacts with the resulting page.
And this from the same thread
But… beware that if the attacker can take over the renderer process, they can tamper with all web sites (breaching the same-origin policy), since Chrome’s privilege separation does not isolate one web site from another. Therefore, a breach of the NaCl sandbox would be bad
If I don’t accept the insane risk and allow Chrome’s native client to be enabled, then I can’t access my cameras. That leaves me with two crappy paperweights. I can replace the dlink’s with two $25 Wyze cameras.
I’ll mothball them for the time being to see if dlink fixes their dashboard so that you can access it without modifying security settings.
There are two major problems with their “fix”.
- The average non technical user will probably have a hard time following their ‘instructions’.
- Following their instructions will arguably decrease the security of your system.
SUMMARY : I will NOT lower the security of my browser in order to use ONE piece of software. I keep Chrome up to date to MINIMIZE my security exposure.
UPDATE – This just gets better. I though I’d give dlink one last chance by trying the Edge browser. What I got was a notice that the Edge Browser was not supported. You have to be kidding me.
If they don’t come out with a fix soon, I’m going to re-purpose the cameras by placing them outside as fakes. I can just picture the following dialog between two burglars.
Burglar #1 “Uh oh, they have cameras”
Burglar #2 “you moron, those are dlinks”
- k9 email client for the droid
- D-Link DCH S160 Wifi Water sensor – SETUP HELL!!
- Have Google do a quick security check on your Google account with the Google Security Check
- A neat tool to check the browser/environment.
- “Access is denied” trying to re install an HP1102w on Windows 7 – SOLVED
- Guardzilla won’t work with my Moto XT
- Check your Ninja Forms forms for browser autocomplete functionality
- Chrome ending support for Java, Silverlight and Flash???