AP's recent news story highlighting a potential security concern with the Nikon D750’s Wi-Fi has whipped up a storm of debate on the internet, with some commentators claiming that we’ve invented a sensationalist non-story, or simply been unable to read the manual. AP sets the record straight...



NOTE: this article was edited on 29th September 2014 to correct an error regarding the use of WPS with Android devices.

To put the record straight, here’s a clarification of our position:

1) By default, Nikon sets up an unsecured wireless network when the D750 is connected to a smart device. No other camera manufacturer does this. Most use a secured, password-protected network with a pre-set key, that’s set up either by manually entering a password into your phone that’s displayed on the camera’s screen, or by shortcuts such as NFC, QR codes, or Bluetooth. An alternative method is to require that any smart device trying to connect has to be validated by pressing a button on the camera.

2) In Nikon’s default, unsecured state, another smartphone user with the Nikon Wireless Mobile Utility (WMU) app can connect to the camera without requiring the owner’s approval, and download images without their knowledge. Only one device can connect at any time, though, so if your own phone is connected, your images are safe. But if your camera has Wi-Fi turned on and your phone isn’t connected, they’re not. No other camera Wi-Fi system will let this happen.

3) Neither the camera, nor the Wireless Mobile Utility app, ever prompt the user to set up a password to secure the camera. We believe that the onus should not be on the user to establish the security of their setup; instead it should be secure by default. This is how all other cameras work, not to mention Wi-Fi SD cards, Wi-Fi card readers and the like.

4) The D750 camera manual has a small section on security on page xxvi, that warns of possible risks to your data if security is not enabled. The Wi-Fi section of the manual talks about using WPS security, which is an option on some Android devices, and which we’d strongly recommend using if possible. However the manual doesn’t mention how to set up a secure connection to a smartphone when connecting directly to the camera’s SSID, which all iOS users will have to do.

5) To establish a secure connection with a mobile device, you have to enable this from the WMU app when the camera is connected. This is done from the Settings menu: enter the WMA settings section, enable WPA2-PSK-AES authentication, and enter a password when prompted. But Nikon doesn’t explicitly tell the user that that they should do this when they’re using the app – it’s simply a setting they have to find for themselves.

6) The Wireless Mobile Utility app has a downloadable PDF manual, which is linked from the iOS version of the app (but not, apparently, from the Android version at present). If you search it for ‘Security’, ‘setup’ or ‘WPA’, you’ll get no matches. On page 20 it describes all of the menu options for setting up a password, but it never explicitly advises the user that this should be set.

7) In playback mode, you can mark up images for transfer to a smart device. These will automatically be pushed to the first device that connects with the WMU app. Because unauthorised devices can connect without the owner’s knowledge, they could conceivably receive these images simply by connecting to your camera.

So in summary, by default the D750 sets up an unsecured connection on an Android or iOS smart device, which other manufacturer’s Wi-Fi systems simply don’t allow. Unless the user takes the trouble firstly to work out that they need to set up WPA2 security, and secondly how to do this, then their camera’s Wi-Fi will remain unsecured. If they have Wi-Fi turned on in a public space without their own device connected to the camera, other people can connect and browse their SD card using no special equipment – just a mobile device with the WMU app installed.

It’s important to make clear that we’re not saying the D750 is inherently insecure, once it’s been set up correctly by the user. Turn on WPA2 encryption and your images are safe. The problem is that it’s insecure in the way that it’s set up out-of-the-box, or indeed if its network settings are returned to their defaults, and we don’t think Nikon adequately explains to the user how to fix this. There’s no prompt either by the camera or the app, or instructions in their respective manuals, specifically telling users to set up a password.

In the past, other companies have received plenty of criticism for not securing their customers’ data by default, and we don’t think Nikon should be any different. We think that the onus shouldn’t be on the owner to change some settings to secure their images, it should be on the equipment provider to set this up in the first place. Sadly Nikon hasn’t succeeded at this. We’d like to see an update to the WMU app, requiring a password to be entered on first use, which would resolve the issue immediately.

  • Sam Chapman

    Since Nikon has in the past, dealt with this issue differently on their other cameras, this seems to me a case of not bothering/forgetting to implement what they have on their other products. As for this being a ‘Scaremongering’ type article, I totally disagree with that assessment. Whilst there probably a large number of users who are aware of, and are capable of sorting this out, there are equally, amongst these, there are a fair number who just presume things will by default be ok, or just can’t be bothered to do what they need to, to make things secure.

    As for the ‘reporting the issue’ side of things, it should be pointed out that up until not too many years ago, car manufacturers much preferred ‘Issues’ they had with their vehicles, not made public, with some pretty undesirable consequences. Obviously this issue isn’t in the same league, but surely, being up-front about an ‘Issue’, is going to mean that their products are going to be MORE highly-regarded and trusted, than would be the case if they ‘shut-up’ about it.

    Most people register their cameras with the importer/distributor concerned, in which case, at that point, they can automatically inform those who do, of ‘issues’ as and when they arise, via the e-mail address the buyer usually supplies. How many actually use such a strategy, I don’t know, and maybe AP could ask some of the importers/distributors if indeed they would do something like this,if an issue arose and publish their findings on this?

  • Mark

    Ah! Feel the love in the comments section!
    I, for one found the article to be quite informative and although I’m not an amateur photographer, I headed over here from another site and found the Nikon D750 wi-fi matter worth pointing out. It seems that it’s fixable once you figure out the menus, settings, buttons and dials on the camera but I have to say that I’m not sure what Nikon was thinking on this. Regardless, I doubt that Nikon will be setting up a default unsecured wi-fi connection on the D751 which, based on this matter, will probably be out rather soon.

  • Amateur Photographer

    Thanks for pointing this out. We’ve now got WPS to work with an Android device, so have amended the article to recommend its use.

  • EnglishPaul

    Reposted from a comment on Petapixel from the D750 manual. Seems Nikon were pretty clear to me. Maybe Nikon should send a guy to take the photos for you as well AP?

    Although one of the benefits of this product is that it allows others to freely connect for the wireless exchange of data anywhere within its range, the following may occur if security is not enabled:
    Data theft: Malicious third-parties may intercept wireless transmissions to steal user IDs, passwords, and other personal information.
    Unauthorized access: Unauthorized users may gain access to the network and alter data or perform other malicious actions. Note that due to the design of wireless networks, specialized attacks may allow unauthorized access even when security is enabled.

    • Authentication: Open system, WPA2-PSK
    • Encryption: AES

  • dgr

    “We think that the onus shouldn’t be on the owner to change some settings to secure their images, it should be on the equipment provider to set this up in the first place.”

    Why is this Nikon’s responsibility? I’d rather have control and set it up any way I want to. You’re still blaming Nikon for giving the end user a choice on how to set up their wireless connection.

  • Naveen

    I am sorry, but this is simply a misinterpretation. The manual on page 284 says, “Smart device: Select Wi-Fi settings > WPS button
    connection.” I took this to mean the WPS button that is clearly displayed on my WiFi Settings screen, and surely enough, using that after selecting “Push WPS” on the camera per the manual allowed me to establish a connection within seconds.

    Did you even try doing this with an Android device? It sounds like you are simply theorizing. I’d advise you to give it a shot. If you agree that it is in fact quite simple, I think that you should amend your article to reflect that fact. In its current state, it is very misleading for Android users like me. Your article made me needlessly worried that I wasn’t going to be able to use WPS, when in fact it was the simplest secure WiFi connection I’ve ever done.

  • Shaul Boilov

    Well it seems most think your trying to make something out of nothing, this is a none issue. Its certainly isn’t as dramatic as you’ve first published it.

  • Amateur Photographer

    A default password would be more secure than no password at all, especially if the app prompted the user to change it on first opening.

    Equally other camera manufacturers’ Wi-Fi systems show how trivial it is to establish randomised passwords per device, but still allow easy setup using (for example) NFC or QR codes, or simply displaying the password on the camera’s screen when it’s needed.

    Your D750 is secure if you have a device connected to it, but using the default settings, it’s not secure when you don’t. There are plenty of real-world scenarios where this might happen, for example you might turn off Wi-Fi on your phone to post your latest pictures to social media, but leave the camera’s Wi-Fi turned on so you can re-access it again shortly. During this time, though, other people would be able to access your camera without your permission.

    In reality, easy-to-use yet secured Wi-Fi for mobile devices is a solved problem, and has been for some time. Other camera and accessory manufacturers all use secured systems by default, and we think Nikon should too.

  • Amateur Photographer

    Many Android devices support using WPS to connect to an existing secured router. Select ‘WPS push button’ in the Wi-Fi menu, tap the button on the router, and you join the network. This allows the network owner to ensure only approved devices can connect, without having to remember and give out passwords.

    However, if you read the D750 manual carefully, you’ll see that it’s asking you to do something different. It wants you to press the WPS button on your Android device, as if it were the router. The problem here is that your device doesn’t obviously have one (although it’s possible that a phone set up as a personal hot spot might have a virtual WPS button).

    If you can’t find a WPS button on your phone, you’ll have to connect to the camera’s SSID, just like iOS users do. At this point, you need to secure the network yourself, by entering a password from the WMU app.

  • EnglishPaul

    Your original article sensationally claimed that the D750 used an unsecured network which allowed anybody with a smart phone to steal pictures. Now it seems your compliant is the wording of the manual does not make it clear how to set up a secure network. Why didn’t AP simply state this in the review and clarify the means to do this? That would’ve been far more useful to your readers, it wouldn’t have got as many clicks though.
    Do you honestly believe that someone setting up a WIFI connection would be unaware of the need to use a password etc to secure it? If they needed a secure network do you believe they wouldn’t check the connection. If you do then it is only APs technical department that seems to be struggling with this concept.
    AP set out to grab a headline, to sensationalise and exaggerate and in so doing may have caused Nikon financial harm. Fortunately NR which linked to APs story has since distanced itself from it stating that AP was misleading people. The saddest thing and a reflection of what AP has become is that you never even mentioned photography. What about the images this camera is capable of helping a photographer capture?

  • Shaul Boilov

    Oh for heavens sake, so if Nikon would have setup the camera to a default password like 12345, that would have been secure? common, if someone wants to access your camera with his phone wouldn’t he know the default password? and besides, the camera comes with the WiFi turned off, so if the user turns it on he would probably connect the smart device to the camera in which case, as you’ve stated above, only one device can connect, which again makes the whole thing secure, this is just sad to say the least, give it a rest.

  • entoman

    Fortunately I don’t think the alarmist click-bait article in AP will do any harm to Nikon sales. The D750 is by all accounts a fabulous camera for advanced amateurs and semi-pros, who will have more sense than to be put off by the very AMATEUR Photographer article.

    Sadly the only people who will suffer are AP, as they have severely discredited the magazine/website, and made matters even worse for themselves by their pointless attempt to “put the record straight”.

    Very poor journalism, very unprofessional.

  • Davidvictormeldrew Idontbeliev

    I like to see a Apple IPAD steal 30mb+ per image of raw pictures taken by the D750 – one thing is the time to transfer these raw images and the other is amount or lack of storage space on the device themselves; they likely to give up – however as the device is open could someone plant a piece of software to do some malicious damage on your camera ?. Therefore agree that there should be extra info detailed in the manual or some default security set on in the first place. But don’t agree with the alarmist end-of-the world article in the first place and in the first place they should have put extra information as described above and steps on how to explain on how to secure the device rather than an OTT article which has done a lot of damage to AP and possibly to Nikon sales of this camera.

  • Davidvictormeldrew Idontbeliev

    Ok but you shouldn’t put out an OTT headline in the first place but explained like you did above on the first post of this article and put your guide on how to secure the connection on day one of this article – that’s my beef (kudos in doing this) but Nikon should also come out with a separate guide/manual or a fuller section in the manual on how to secure the connection fully. Also your suggestion of each camera being set to random default password and viewable on LCD is a good idea and Nikon should either enforce this along with the first time using the mobile/transfer software should enforce some level of base Wi-fi security.

  • Davidvictormeldrew Idontbeliev

    Agree some say very sloppy and damaging article which could harm sales and Nikon reputation; if they put the information above with a less OTT Title and explain how to set up the security to sufficient level then I and others would be fine with this,

  • whisky

    step one. read the manual. wisdom will follow. publish accordingly.
    AP gets credit for it’s pseudo-retraction, but still get’s hit a notch in the credibility belt.

  • Naveen

    You write, “To the best of our knowledge, [WPS is] not supported by either iOS or Android smart devices.” I have a Google Nexus 5, and it supports WPS. A quick internet search reveals that the Samsung Galaxy line and the HTC One, two of the most popular Android phones, also appear to support WPS. iOS doesn’t appear to support WPS, but in the D750 manual WPS is not an option for iOS anyway. Am I missing something here?

    I am not writing just to point out an error; I actually ordered a D750, and it’s arriving later today. Having read the manual already, I was planning to use WPS to connect my phone/tablet to the camera, but your article makes it sound like this is not in fact possible. If you could please explain I’d really appreciate it. Thank you.

  • Amateur Photographer

    The D750’s manual doesn’t explain how to set up a password to secure your connection to a mobile device using WPA. The WMU app’s manual doesn’t warn you that you should set a password either, it simply lists the menu option where one can set without explaining it’s importance. The WMU manual it isn’t even linked from the Android app, either.

  • entoman

    Click bait – yes that sums it up very well.

  • Amateur Photographer

    Sorry but your opening claim is simply incorrect; the fact is that pretty much every Wi-Fi device designed for mobile use is secured by default. This includes every other brand’s in-camera Wi-Fi systems, Wi-Fi SD cards from Eye-Fi and Transcend, Wi-Fi card readers, and My-Fi devices. Nikon’s setup is the only one we’re aware of that can allow another user to download images from a camera without the owner’s knowledge or consent. Nikon doesn’t explain in the camera manual how to secure the connection to a mobile device, either. (It might appear to, but the only protocol it describes isn’t applicable to Apple devices, or the vast majority of Android devices.) This is why we’ve published our own step-by-step guide.

    Obviously certain conditions have to be met for this risk to be exploitable. But it’s a vulnerability nonetheless, and one that other brands’ Wi-Fi enabled cameras simply don’t share.

  • Almost every device sold (including most routers) are set to no authentication by default.

    You almost always have to set up authentication. And if the user isn’t bright enough to figure out the simple settings in the camera, then they probably shouldn’t be doing anything too complicated, like walking or breathing, because setting this up for secure is dead simple.

    In either case, the article was written in an alarmist fashion – for someone to actively steal your photos, they have to:

    1) guess that you have a camera that has WiFi

    2) guess that you have an unsecured network

    3) be near you when you actually have WiFi on

    4) be very close to your camera (30 ft. or so)

    5) have the Nikon app installed on their device

    6) attempt to steal your images while you are not shooting, or are not connected to your own device (because it only connects to one device at a time, its a peer to peer connection, not a bridge).

    7) actually want to steal your photos.

    If you are a shooter of any caliber, you learn/know your equipment, and this is all a moot point anyways.

    Otherwise, the risk is the equivalent of me worried about someone randomly breaking into my apartment, which is on the 23rd floor of a 60 story building then finding the snapshots that I keep in my sock drawer.

    Can it be done? sure.

    How likely is the scenario? Very unlikely.

    And the reality is there is almost no incentive for someone to do this.

  • EnglishPaul

    Nikon chose to have users set up security as desired and to have everything work out of the box. Whole operating systems are configured this way and its an equally valid decision. WIFI is not enabled by default and nobody is going to have it permanently enabled. Your original article, picked up by NR and Petapixel amongst others, deliberately takes a sensationalist, alarmist tone and is misleading in the extreme. Readers of the headline are left with the impression that the D750 uses an open network. Your “clarification” of “by default” is typically tabloid tiny. The facts are that setting up a secure network on the D750 is not a problem – some posters saying it took them 30 seconds! – if the user takes the time to read the manual or is anyway familiar with WIFI networks. No photographer is going to buy a camera at this price point and not set it up. AP have acted irresponsibly with this report as the last thing Nikon needs is people gleefully reporting “another Nikon blunder” when in fact there is none. Do the right thing and retract this now as APs reputation and competency is being questioned by many.

  • Read the FAQ

    Click bait. I’m going to assume that’s what AP was doing here. It’s become an internet phenomenon and it’s getting more and more irresponsible. Yes, it’s also something journalism has suffered historically (‘yellow journalism’) but in the electronic age it’s become more insidious because of its immediacy.

    Don’t try to get your education from the internet or at the very least, keep an open mind and use your intellect to comb through the debris. And don’t take everything at face value. These are techniques we’ve always employed in the past but need to be even more vigilant in the electronic age where misleading ‘sensationalism’ gets instantly disseminated and spreads like out of control fires (and unfortunately is not reversible; i.e., rumor mongering.) The damage has already been done by AP, including their own loss of credibility.

  • NFan

    Now “Amateur Photographer” is hell bent to dig a deeper grave for itself. Instead of this “To put the record straight” article, you should apologize for not reading the manual and move on. By trying to justify your incorrect and probably paid attack on Nikon, you are just making yourself look retarded.

  • Amateur Photographer

    The problem with your argument is that other camera brands have solved the problems you described easily enough. Usually each camera comes with its own password, which is displayed on the LCD screen when the owner wants to make a new connection. This means those connections are always secured, with no need for the owner to write anything down.

  • Amateur Photographer

    WPS is fine for connecting the camera to an existing secure network. But the D750 is designed to be used with a smartphone, at which point the method of connection changes completely. The camera establishes the network, and the phone connects to it. This is described on page 282 of the D750 manual, which instructs you simply to connect your device to the camera’s SSID for mobile devices that don’t have a WPS button (which includes all iOS, and practically all Android devices).

    The problem is that by default this network isn’t secure (unlike any other brand), and Nikon offers no instructions on how to set up a password and make the connection secure. The password isn’t set up on the camera itself, either, but has be be entered from the WMU app, as described in our accompanying article.

  • Amateur Photographer

    WPS is fine for connecting the camera to an existing secure network. But the D750 is designed to be used with a smartphone, at which point the method of connection changes completely. The camera establishes the network, and the phone connects to it. This is described on page 282 of the D750 manual, which instructs you simply to connect your device to the camera’s SSID for mobile devices that don’t have a WPS button (which includes all iOS, and practically all Android devices).

    The problem is that by default this network isn’t secure (unlike any other brand), and Nikon offers no instructions on how to set up a password and make the connection secure. The password isn’t set up on the camera itself, either, but has be be entered from the WMU app, as described in our accompanying article.

  • entoman

    I think you’ve overplayed the story in a sensationalist manner, which discredits AP.

    For 99% of amateur users, the risk of having their images accessed by someone deliberately following them around and hacking into their camera is pretty damned unlikely!

    Pros are far more likely to buy a D810 or a D4 than a D750, which is basically a revved up D610 with a tilting screen. Any pro who buys the D750 (as a backup?) will in any case be quite capable of sorting out a secure wi-fi connection.

  • When you enter the WiFi menu on the D750, you first enable the WiFi capability, then directly below this you choose the type of connection you want, either Push-Button WPS, or PIN-entry WPS. This is common for many WiFi enabled devices – every WiFi router I’ve ever owned started with authentication disabled – you had to enable it, just like you do with the Nikon interface. Many WiFi enabled devices work this way, or come with a default password, which many users never change.

    You state in this article “…we’re not saying that the D750 is inherently insecure”, but yet the headline of your article is “Nikon D750 Wi-Fi app: Security risk surfaces”. Which is the pretty much the same thing.

    This isn’t a security risk, its merely a common step to enable authentication on a WiFi device.

    Additionally – you can only have one connection between your camera and a single device at a time – are you leaving WiFi on at all times? If so, goodbye battery life…

  • EnglishPaul

    The fact is that any user of wifi knows how to set up a secure connection and we’re not seeing any D750 owners complaining of the insecurity of their devices. The devices would be no more secure if they came with a default password, quite the opposite as everyone one would know it. If they came with randomly generated passwords there would a lot of people finding themselves locked out months later when the paperwork has gone missing and they hadn’t written it down. Nikon took a decision to make the cameras easy to connect to and then secure. AP took the decision to invent a fault with the D750 to drive traffic to this website. Most commentators have seen through this fortunately and you only make yourselves seem even more amateurish for continuing to defend this “journalism”.

  • Phil Harris

    Actually by default the D750 doesn’t set up anything, the user has to activate wi-fi first.
    You are being disingenuous once again, a D750 owner suffers no security risk ‘by default’. Surely one of you can work this out and maybe explain it slowly and carefully to the others?
    Your original article was a dreadful piece of tabloid scaremongering, certainly not worthy of the AP I remember and confirmation if it were required, that my decision to stop reading it some years ago was justified.