This looks like a major Arlo problem

by Volker Weber

Status: unconfirmed. Read to the end!

A few months back I purchased a Netgear Arlo home security camera set. I set up an online account, connected the cameras, tried them out for a few days and ultimately changed my mind. They were returned to the store and I never gave it another thought...until today. I got a random email alerting me that the camera had detected motion...but I don't have any cameras. So I logged into my online account and I can see the new owner, their house, and everything they're doing. Netgear obviously doesn't have a system in place to prevent cameras on multiple accounts.

You connect Arlo cameras to your network. That part is protected. You set up an account and your cameras show up on the service. Apparently they are not removed from an account they were connected to. Three implications, if this works as described:

  1. If somebody steals your camera, you get a free video feed from any new place your camera shows up.
  2. If you buy a unit that is not really brand new, somebody might already have registered it.
  3. If somebody were able to register your brand new camera, he gets a free video feed from you.

If it really works this way, Netgear needs to fix this ASAP. And it actually looks like an easy fix. When a camera gets registered, remove it from an account it was previously registered to. I would have expected this to be the standard behavior.

More >

[Update: 20-Jun-2016 11:35] Testing ...

ZZ3F5107D6

Step 1: A neighbor removed his camera from his setup. I added it to mine.

Result: I have a new camera, he no longer sees it.

Step 2: I did not remove my new camera. He added it back to his account.

Result: He has his camera back in his setup. I still have the camera in my overview, but it appears as offline. I cannot turn it on. I do not receive alerts. I have no access to his videos.

For now, this looks like a false alarm. I believe somebody returned his fully operational kit with hub and camera. The store resold it and the new customer plugged it in.

[Thanks, Marcus]

Comments

Not quite as jarring as this but a few years ago I sold my Nexus 7 to someone and despite the fact that I'd removed it from my account and done a factory reset, it showed up again as a connected device in the Google Play store. I could see what the new user had installed on it. Took a while to get it removed.

Bob Congdon, 2016-06-20

Daraus kann man auch ableiten, dass Netgear die Vodeodaten nicht verschlüsselt. Nicht mal ein bisschen. Abgesehen davon, dass das, was Sie da im Netz gefunden haben die Obersauerei ist, muss man wohl mit sowas rechnen, wenn Leute sich freiwillig ein Produkt ins Haus hängen, das munter Videodaten an einen Dienstleister überträgt.

Privacy is so 80s. Be more 2016. ;)

Johannes Matzke , 2016-06-20

I hope this is not only the tip of an iceberg... not too good.

Ingo Seifert, 2016-06-20

maybe number 4:

If somebody gets hold of a serial number of your camera he can spy on you.

(Or do you need physical access to the camera to register one? Is it enough to be log in in to the same network? If so, be careful to give access...)

Matthias Welling, 2016-06-20

I still need to verify that this is indeed a problem as described. Testing today. Serial numbers are longer than ten alphanumeric chars. The cameras are on their own protected network behind the Arlo Hub.

I don't know how to register a camera without physical access, but that does not mean it is not possible,

Volker Weber, 2016-06-20

This reminds me of Security Now podcast episodes 562+563. So many security holes in IOT devices. 9 baby monitors were investigated, need I say more.

Hans Bornich, 2016-06-20

If only I had this problem. My cameras are to far away or my house is too densely built (reinforeced concrete) that I cannot connect them to the router all at once. Might have to buy more routers then. any sellers here?

chris frei, 2016-06-20

Recent comments

Volker Weber on Airplay 2 im täglichen Einsatz at 00:02
Robert Dahlem on Connect your Android phone to Windows 10 at 23:32
Robert Kurt on Wenn Du nicht einschlafen kannst ... at 22:19
Kai Schmalenbach on Stuff that works :: Bite Away at 21:02
Ralph Inselsbacher on Airplay 2 im täglichen Einsatz at 20:37
Thomas Müller on Connect your Android phone to Windows 10 at 20:08
Daniel Pape on Connect your Android phone to Windows 10 at 20:02
Stephan Höhl on Airplay 2 im täglichen Einsatz at 19:56
Volker Weber on Airplay 2 im täglichen Einsatz at 19:52
Stephan Höhl on Airplay 2 im täglichen Einsatz at 19:48
Christian Henseler on Stuff that works :: Bite Away at 19:23
Andreas Krümmel on Stuff that works :: Bite Away at 18:40
Volker Weber on Tweets are ephemeral at 17:15
Mariano Kamp on Stuff that works :: Bite Away at 16:44
Pedro Meireles on Tweets are ephemeral at 14:51
Volker Weber on Airplay 2 im täglichen Einsatz at 14:02
Kristof Doffing on Stuff that works :: Bite Away at 14:01
Volker Weber on Kein Drama at 14:00
Volker Weber on Stuff that works :: Bite Away at 13:58
Martin Kautz on Kein Drama at 13:41
Patric Stiffel on Stuff that works :: Bite Away at 13:40
Martin Kautz on Airplay 2 im täglichen Einsatz at 13:37
Stefan Brandl on Wenn Du nicht einschlafen kannst ... at 13:36
Martin Kautz on Stuff that works :: Bite Away at 13:33
Jörg Michael on Stuff that works :: Bite Away at 13:25

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 09:10

visitors.gif

buy me coffee