Nikon D750 Wi-Fi app: Security risk surfaces (Updated 29 September)
September 25, 2014
Nikon’s Wireless Mobile Utility app, for Android and Apple iOS operating systems, allows photographers to wirelessly connect their mobile device to a Nikon camera.
However, Amateur Photographer (AP)’s technical team has discovered a potential security flaw during their review of a full-production sample of the D750, which went on sale in the UK two days ago.
If users connect directly to the camera’s broadcast SSID, but do not manually activate the Wi-Fi security settings via the app on the mobile device, then they could expose the D750’s images to unauthorised access.
The Wireless Mobile Utility app is designed for use with Nikon’s Coolpix compacts, as well as its DSLRs.
AP technical editor Andy Westlake (pictured above), who got his hands on the D750 last night, said: ‘I couldn’t believe it. The Nikon D750 uses an unsecured Wi-Fi network by default when connecting directly to its SSID, and doesn’t at any point require the camera owner to validate the identity of a smart device that’s trying to connect to it.
‘If you have D750’s Wi-Fi turned on, but your own phone isn’t connected to it, then anyone with a smart device and the Nikon Wireless Mobile Utility can connect to the camera and download images from the memory card without the owner’s permission.
‘We tested and confirmed this in the AP office; another smartphone user simply has to connect to the camera’s Wi-Fi network and start up the Nikon app to be able to browse and download images. The camera gives no clear indication that anything might be amiss.
‘What’s worse is that it’s possible for the owner to mark images for transfer to a smart device on the camera in playback mode.
‘These images are pushed automatically to the first device that connects to the camera afterwards, regardless of who owns it. So another user can potentially intercept your favourite or most valuable images.’
In response, the company says it is looking into the Nikon D750 Wi-Fi security issue.
A Nikon UK spokesperson told AP: ‘We appreciate the feedback. As a business, we take security seriously.
‘Our advice would always be that people should activate the security settings available to them.’
Whether the app should activate the security setting, by default, appears to be a subject of debate within Nikon.
Nikon claims that security advice is contained in the instruction manuals of both the app and the camera. Users of certain Android devices can directly set up a secured connection using the Wi-Fi Protected Access (WPS) protocol, but this isn’t currently supported by Apple’s iOS devices.
However, photographers who don’t read these manuals could be at risk.
The discovery comes amid worldwide security concerns following the unauthorised publication of people’s private images on the internet.
Andy added: ‘The saving grace for Nikon is that only one device can communicate with the camera at any given time, so if your own phone is connected your images are probably safe.’
The D750 is a 24.3-million-pixel, full-frame, enthusiast-level DSLR.
The camera is also compatible with Nikon’s WR-R10 Wireless Transceiver and WR-T10 Wireless Transmitter, as well as Eye-Fi cards.
Nikon says the Wi-Fi app is updated each time a new camera is released.
The D750 went on sale in the UK on 23 September.
[Photo credit: C Cheesman]
This article was updated on 29 September by AP technical editor Andy Westlake, to make clear that users of Android devices which support Wi-Fi Protected Setup (WPS) can directly establish a secure connection to the D750 using this method. However this option isn’t available to iOS users.