July 2020 Raw Data Release & Recommendations: Connected Cameras
Product designer and researcher, formerly at Consumer Reports.
Consumer Reports just released our latest Connected Camera ratings, which include the Digital Standard subscores on data privacy + security. Today we are publishing raw data from our Connected Cameras Digital Standard testing and share some of the findings from our recent webinar:
The methods for this round of testing focus include:
Inspection of product and settings including setup process, account registration, settings menus and mobile apps
Technical testing on the mobile app, network traffic, research on known vulnerabilities, kernel versions, etc. and pentests.
Document review: privacy policies, terms of service and other readily accessible public information.
Raw data release
We are publishing 3 raw documents that our testing team uses to establish privacy and security related scores for connected cameras. We have modified the documents slightly to remove sensitive data.
Workbook — This is the working document our testing team uses to analyze and score each connected camera. We provide a pivot table to show how we map these test questions back to criteria and indicators from the Digital Standard.
> Download the workbook here (Excel Document)
Test Protocol — CR’s External Audience Protocol (EAP) summarizes for manufacturers the Digital Standard indicators we include in our connected cameras data privacy and security evaluation.
> Download the test protocol here (PDF)
Connected Cameras Digital Standard Test Summary — This document is what our testing team uses in order to keep the record of our testing process and findings. Usually, it includes methodology, finding highlights, and overall suggestions, which make up a high-level summary of the findings.
> Download the test summary here (PDF)
In January, Consumer Reports wrote a letter to 25 companies highlighting 10 practices and features that all connected cameras should have to improve the security of these products:
Automatic firmware and software updates enabled by default
Protections against credential stuffing and reuse
Require multi-factor authentication and captchas in the authentication system
Email notifications when a login occurs from a new device or a new IP address
Require users to sign back in after changing a password
Confirm with the user when credentials have been changed
Password creation rules that require more security passwords
Compatibility with password managers
Increase protection against brute-force dictionary attacks by rate-limiting login attempts
Visible indication (e.g. a prominent LED light) when cameras or microphones are active
Despite all the news of security cameras easily getting hacked, many manufacturers have yet to implement two-factor authentication. Cameras from Blue by ADT, Canary, D-Link, Eufy, Honeywell Home, Logitech, Toucan, TP-Link, and Zmodo all lack this feature.
Consumer Reports has reached out to these brands asking if and when they plan to implement two-factor authentication, and received responses from six:
Blue by ADT will add multi-factor authentication before the end of the year.
Canary will be adding it soon.
Eufy is starting to deploy two-factor authentication in the US now.
Honeywell Home is looking into ways to add it.
Logitech says the feature is being “actively developed.”
TP-Link is “targeting” a release for the feature in Q4.
We also rate how well companies’ privacy policies protect consumers. Google Nest stood out for providing the most information of all the companies in our tests, but its policies were less impressive. It does a good job disclosing what user data it shares and with whom, but it doesn’t offer good tools for obtaining and deleting your data, nor does it try to minimize data collection. It earns a Good rating in our data privacy tests.
Seven other brands also earn a Good rating: Amazon, Blink, Blue by ADT, Canary, D-Link, Logitech, and Ring (you may be surprised to see Ring earn a Good rating considering the recent controversy over the company granting local police the ability to request footage from users, but it does offer customers the ability to opt-out of such requests, and claims to neither sell nor give away your data).
We welcome feedback on how to strengthen our testing frameworks, ideas for follow on research, or ways to expand the Digital Standard. Please reach out if you have any questions or feedback: firstname.lastname@example.org.