AP's recent news story highlighting a potential security concern with the Nikon D750’s Wi-Fi has whipped up a storm of debate on the internet, with some commentators claiming that we’ve invented a sensationalist non-story, or simply been unable to read the manual. AP sets the record straight...
NOTE: this article was edited on 29th September 2014 to correct an error regarding the use of WPS with Android devices.
To put the record straight, here’s a clarification of our position:
1) By default, Nikon sets up an unsecured wireless network when the D750 is connected to a smart device. No other camera manufacturer does this. Most use a secured, password-protected network with a pre-set key, that’s set up either by manually entering a password into your phone that’s displayed on the camera’s screen, or by shortcuts such as NFC, QR codes, or Bluetooth. An alternative method is to require that any smart device trying to connect has to be validated by pressing a button on the camera.
2) In Nikon’s default, unsecured state, another smartphone user with the Nikon Wireless Mobile Utility (WMU) app can connect to the camera without requiring the owner’s approval, and download images without their knowledge. Only one device can connect at any time, though, so if your own phone is connected, your images are safe. But if your camera has Wi-Fi turned on and your phone isn’t connected, they’re not. No other camera Wi-Fi system will let this happen.
3) Neither the camera, nor the Wireless Mobile Utility app, ever prompt the user to set up a password to secure the camera. We believe that the onus should not be on the user to establish the security of their setup; instead it should be secure by default. This is how all other cameras work, not to mention Wi-Fi SD cards, Wi-Fi card readers and the like.
4) The D750 camera manual has a small section on security on page xxvi, that warns of possible risks to your data if security is not enabled. The Wi-Fi section of the manual talks about using WPS security, which is an option on some Android devices, and which we’d strongly recommend using if possible. However the manual doesn’t mention how to set up a secure connection to a smartphone when connecting directly to the camera’s SSID, which all iOS users will have to do.
5) To establish a secure connection with a mobile device, you have to enable this from the WMU app when the camera is connected. This is done from the Settings menu: enter the WMA settings section, enable WPA2-PSK-AES authentication, and enter a password when prompted. But Nikon doesn’t explicitly tell the user that that they should do this when they’re using the app – it’s simply a setting they have to find for themselves.
6) The Wireless Mobile Utility app has a downloadable PDF manual, which is linked from the iOS version of the app (but not, apparently, from the Android version at present). If you search it for ‘Security’, ‘setup’ or ‘WPA’, you’ll get no matches. On page 20 it describes all of the menu options for setting up a password, but it never explicitly advises the user that this should be set.
7) In playback mode, you can mark up images for transfer to a smart device. These will automatically be pushed to the first device that connects with the WMU app. Because unauthorised devices can connect without the owner’s knowledge, they could conceivably receive these images simply by connecting to your camera.
So in summary, by default the D750 sets up an unsecured connection on an Android or iOS smart device, which other manufacturer’s Wi-Fi systems simply don’t allow. Unless the user takes the trouble firstly to work out that they need to set up WPA2 security, and secondly how to do this, then their camera’s Wi-Fi will remain unsecured. If they have Wi-Fi turned on in a public space without their own device connected to the camera, other people can connect and browse their SD card using no special equipment – just a mobile device with the WMU app installed.
It’s important to make clear that we’re not saying the D750 is inherently insecure, once it’s been set up correctly by the user. Turn on WPA2 encryption and your images are safe. The problem is that it’s insecure in the way that it’s set up out-of-the-box, or indeed if its network settings are returned to their defaults, and we don’t think Nikon adequately explains to the user how to fix this. There’s no prompt either by the camera or the app, or instructions in their respective manuals, specifically telling users to set up a password.
In the past, other companies have received plenty of criticism for not securing their customers’ data by default, and we don’t think Nikon should be any different. We think that the onus shouldn’t be on the owner to change some settings to secure their images, it should be on the equipment provider to set this up in the first place. Sadly Nikon hasn’t succeeded at this. We’d like to see an update to the WMU app, requiring a password to be entered on first use, which would resolve the issue immediately.