This looks like a major Arlo problem

by Volker Weber

Status: unconfirmed. Read to the end!

A few months back I purchased a Netgear Arlo home security camera set. I set up an online account, connected the cameras, tried them out for a few days and ultimately changed my mind. They were returned to the store and I never gave it another thought...until today. I got a random email alerting me that the camera had detected motion...but I don't have any cameras. So I logged into my online account and I can see the new owner, their house, and everything they're doing. Netgear obviously doesn't have a system in place to prevent cameras on multiple accounts.

You connect Arlo cameras to your network. That part is protected. You set up an account and your cameras show up on the service. Apparently they are not removed from an account they were connected to. Three implications, if this works as described:

  1. If somebody steals your camera, you get a free video feed from any new place your camera shows up.
  2. If you buy a unit that is not really brand new, somebody might already have registered it.
  3. If somebody were able to register your brand new camera, he gets a free video feed from you.

If it really works this way, Netgear needs to fix this ASAP. And it actually looks like an easy fix. When a camera gets registered, remove it from an account it was previously registered to. I would have expected this to be the standard behavior.

More >

[Update: 20-Jun-2016 11:35] Testing ...

ZZ3F5107D6

Step 1: A neighbor removed his camera from his setup. I added it to mine.

Result: I have a new camera, he no longer sees it.

Step 2: I did not remove my new camera. He added it back to his account.

Result: He has his camera back in his setup. I still have the camera in my overview, but it appears as offline. I cannot turn it on. I do not receive alerts. I have no access to his videos.

For now, this looks like a false alarm. I believe somebody returned his fully operational kit with hub and camera. The store resold it and the new customer plugged it in.

[Thanks, Marcus]

Comments

Not quite as jarring as this but a few years ago I sold my Nexus 7 to someone and despite the fact that I'd removed it from my account and done a factory reset, it showed up again as a connected device in the Google Play store. I could see what the new user had installed on it. Took a while to get it removed.

Bob Congdon, 2016-06-20 05:21

Daraus kann man auch ableiten, dass Netgear die Vodeodaten nicht verschlüsselt. Nicht mal ein bisschen. Abgesehen davon, dass das, was Sie da im Netz gefunden haben die Obersauerei ist, muss man wohl mit sowas rechnen, wenn Leute sich freiwillig ein Produkt ins Haus hängen, das munter Videodaten an einen Dienstleister überträgt.

Privacy is so 80s. Be more 2016. ;)

Johannes Matzke , 2016-06-20 06:34

I hope this is not only the tip of an iceberg... not too good.

Ingo Seifert, 2016-06-20 09:22

maybe number 4:

If somebody gets hold of a serial number of your camera he can spy on you.

(Or do you need physical access to the camera to register one? Is it enough to be log in in to the same network? If so, be careful to give access...)

Matthias Welling, 2016-06-20 10:10

I still need to verify that this is indeed a problem as described. Testing today. Serial numbers are longer than ten alphanumeric chars. The cameras are on their own protected network behind the Arlo Hub.

I don't know how to register a camera without physical access, but that does not mean it is not possible,

Volker Weber, 2016-06-20 10:20

This reminds me of Security Now podcast episodes 562+563. So many security holes in IOT devices. 9 baby monitors were investigated, need I say more.

Hans Bornich, 2016-06-20 11:31

If only I had this problem. My cameras are to far away or my house is too densely built (reinforeced concrete) that I cannot connect them to the router all at once. Might have to buy more routers then. any sellers here?

chris frei, 2016-06-20 13:36

Recent comments

Heiko Wolf on Alexa, do. Not. Panic. at 23:16
Armin Grewe on Alexa, do. Not. Panic. at 22:10
Volker Weber on Echo Show :: First Impressions at 20:06
Peter Meuser on Echo Show :: First Impressions at 19:18
Stephan Bohr on Fünf Bücher, die Bill Gates liest at 18:24
Volker Weber on Wyze Cam v2 at 17:55
Samuel Orsenne on Wyze Cam v2 at 17:33
Maikel Maes on Marshall updates the Major at 14:01
Mark Haust on Oberfläche at 10:07
Sami Bahri on Alexa, do. Not. Panic. at 09:39
Volker Weber on Plantronics 6200 UC :: Erste Eindrücke at 05:56
Stephan H. Wissel on Plantronics 6200 UC :: Erste Eindrücke at 23:00
Bill Mayer on Alexa, do. Not. Panic. at 20:16
Bill Mayer on Echo Show :: First Impressions at 19:52
Stefan Dorscht on Plantronics 6200 UC :: Erste Eindrücke at 17:10
Volker Weber on Plantronics 6200 UC :: Erste Eindrücke at 15:10
Enrico Lippmann on Alexa, do. Not. Panic. at 14:42
Bastian Neumann on Plantronics 6200 UC :: Erste Eindrücke at 14:13
Jörg Hermann on Oberfläche at 22:54
Christian Tillmanns on Oberfläche at 21:22
Ragnar Schierholz on Oberfläche at 20:10
Kai Schmalenbach on Oberfläche at 19:01
Markus Dierker on Echo Show :: First Impressions at 18:59
Philipp Ringler on Oberfläche at 17:31
Volker Weber on Echo Show :: First Impressions at 16:52

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter amazon

Local time is 05:23

visitors.gif

buy me coffee