This looks like a major Arlo problem

by Volker Weber

Status: unconfirmed. Read to the end!

A few months back I purchased a Netgear Arlo home security camera set. I set up an online account, connected the cameras, tried them out for a few days and ultimately changed my mind. They were returned to the store and I never gave it another thought...until today. I got a random email alerting me that the camera had detected motion...but I don't have any cameras. So I logged into my online account and I can see the new owner, their house, and everything they're doing. Netgear obviously doesn't have a system in place to prevent cameras on multiple accounts.

You connect Arlo cameras to your network. That part is protected. You set up an account and your cameras show up on the service. Apparently they are not removed from an account they were connected to. Three implications, if this works as described:

  1. If somebody steals your camera, you get a free video feed from any new place your camera shows up.
  2. If you buy a unit that is not really brand new, somebody might already have registered it.
  3. If somebody were able to register your brand new camera, he gets a free video feed from you.

If it really works this way, Netgear needs to fix this ASAP. And it actually looks like an easy fix. When a camera gets registered, remove it from an account it was previously registered to. I would have expected this to be the standard behavior.

More >

[Update: 20-Jun-2016 11:35] Testing ...

ZZ3F5107D6

Step 1: A neighbor removed his camera from his setup. I added it to mine.

Result: I have a new camera, he no longer sees it.

Step 2: I did not remove my new camera. He added it back to his account.

Result: He has his camera back in his setup. I still have the camera in my overview, but it appears as offline. I cannot turn it on. I do not receive alerts. I have no access to his videos.

For now, this looks like a false alarm. I believe somebody returned his fully operational kit with hub and camera. The store resold it and the new customer plugged it in.

[Thanks, Marcus]

Comments

Not quite as jarring as this but a few years ago I sold my Nexus 7 to someone and despite the fact that I'd removed it from my account and done a factory reset, it showed up again as a connected device in the Google Play store. I could see what the new user had installed on it. Took a while to get it removed.

Bob Congdon, 2016-06-20 05:21

Daraus kann man auch ableiten, dass Netgear die Vodeodaten nicht verschlüsselt. Nicht mal ein bisschen. Abgesehen davon, dass das, was Sie da im Netz gefunden haben die Obersauerei ist, muss man wohl mit sowas rechnen, wenn Leute sich freiwillig ein Produkt ins Haus hängen, das munter Videodaten an einen Dienstleister überträgt.

Privacy is so 80s. Be more 2016. ;)

Johannes Matzke , 2016-06-20 06:34

I hope this is not only the tip of an iceberg... not too good.

Ingo Seifert, 2016-06-20 09:22

maybe number 4:

If somebody gets hold of a serial number of your camera he can spy on you.

(Or do you need physical access to the camera to register one? Is it enough to be log in in to the same network? If so, be careful to give access...)

Matthias Welling, 2016-06-20 10:10

I still need to verify that this is indeed a problem as described. Testing today. Serial numbers are longer than ten alphanumeric chars. The cameras are on their own protected network behind the Arlo Hub.

I don't know how to register a camera without physical access, but that does not mean it is not possible,

Volker Weber, 2016-06-20 10:20

This reminds me of Security Now podcast episodes 562+563. So many security holes in IOT devices. 9 baby monitors were investigated, need I say more.

Hans Bornich, 2016-06-20 11:31

If only I had this problem. My cameras are to far away or my house is too densely built (reinforeced concrete) that I cannot connect them to the router all at once. Might have to buy more routers then. any sellers here?

chris frei, 2016-06-20 13:36

Recent comments

Leo Wiggins III on One Thousand Move Goals at 14:55
Nick Coenen on Ferrari Evolution at 13:16
Andreas Fischer on Your favorite messenger at 08:58
Peter Meuser on Microsoft Tech Summit: Ab in die Wolke at 08:41
Volker Weber on Microsoft Tech Summit: Ab in die Wolke at 21:37
Florian Vogler on Microsoft Tech Summit: Ab in die Wolke at 20:35
Alan Lepofsky on Attending IBM think 2018 at 14:08
Andy Mell on Android Enterprise Recommended at 12:28
Martin Kautz on Om Malik :: The #1 reason Facebook won’t ever change at 11:27
Viktor Dexheimer on Ferrari Evolution at 05:18
Richard Moy on Om Malik :: The #1 reason Facebook won’t ever change at 22:06
Kristian Raue on Concept Zero :: Echo Dot auf Steckdose montieren at 22:01
Armin Grewe on Android Enterprise Recommended at 21:02
Jean-Marc Autexier on Android Enterprise Recommended at 20:49
Volker Weber on Quo vadis IBM Connections? at 20:41
Samuel Orsenne on Ferrari Evolution at 12:38
Volker Weber on Android Enterprise Recommended at 11:21
Kai Nehm on Android Enterprise Recommended at 11:16
Stephan Wissel on Android Enterprise Recommended at 10:57
Karl Heindel on Ferrari Evolution at 21:21
Thomas Langel on Ferrari Evolution at 14:23
Maik Endler on udoq :: Das Ding des Jahres at 13:51
Karl Heindel on Ferrari Evolution at 10:39
Sven Bühler on Ferrari Evolution at 23:53
Abdelkader Boui on Concept Zero :: Echo Dot auf Steckdose montieren at 18:37

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter

Local time is 14:57

visitors.gif