This looks like a major Arlo problem
by Volker Weber
Status: unconfirmed. Read to the end!
A few months back I purchased a Netgear Arlo home security camera set. I set up an online account, connected the cameras, tried them out for a few days and ultimately changed my mind. They were returned to the store and I never gave it another thought...until today. I got a random email alerting me that the camera had detected motion...but I don't have any cameras. So I logged into my online account and I can see the new owner, their house, and everything they're doing. Netgear obviously doesn't have a system in place to prevent cameras on multiple accounts.
You connect Arlo cameras to your network. That part is protected. You set up an account and your cameras show up on the service. Apparently they are not removed from an account they were connected to. Three implications, if this works as described:
- If somebody steals your camera, you get a free video feed from any new place your camera shows up.
- If you buy a unit that is not really brand new, somebody might already have registered it.
- If somebody were able to register your brand new camera, he gets a free video feed from you.
If it really works this way, Netgear needs to fix this ASAP. And it actually looks like an easy fix. When a camera gets registered, remove it from an account it was previously registered to. I would have expected this to be the standard behavior.
[Update: 20-Jun-2016 11:35] Testing ...
Step 1: A neighbor removed his camera from his setup. I added it to mine.
Result: I have a new camera, he no longer sees it.
Step 2: I did not remove my new camera. He added it back to his account.
Result: He has his camera back in his setup. I still have the camera in my overview, but it appears as offline. I cannot turn it on. I do not receive alerts. I have no access to his videos.
For now, this looks like a false alarm. I believe somebody returned his fully operational kit with hub and camera. The store resold it and the new customer plugged it in.
[Thanks, Marcus]
Comments
Not quite as jarring as this but a few years ago I sold my Nexus 7 to someone and despite the fact that I'd removed it from my account and done a factory reset, it showed up again as a connected device in the Google Play store. I could see what the new user had installed on it. Took a while to get it removed.
Daraus kann man auch ableiten, dass Netgear die Vodeodaten nicht verschlüsselt. Nicht mal ein bisschen. Abgesehen davon, dass das, was Sie da im Netz gefunden haben die Obersauerei ist, muss man wohl mit sowas rechnen, wenn Leute sich freiwillig ein Produkt ins Haus hängen, das munter Videodaten an einen Dienstleister überträgt.
Privacy is so 80s. Be more 2016. ;)
I hope this is not only the tip of an iceberg... not too good.
maybe number 4:
If somebody gets hold of a serial number of your camera he can spy on you.
(Or do you need physical access to the camera to register one? Is it enough to be log in in to the same network? If so, be careful to give access...)
I still need to verify that this is indeed a problem as described. Testing today. Serial numbers are longer than ten alphanumeric chars. The cameras are on their own protected network behind the Arlo Hub.
I don't know how to register a camera without physical access, but that does not mean it is not possible,
This reminds me of Security Now podcast episodes 562+563. So many security holes in IOT devices. 9 baby monitors were investigated, need I say more.
If only I had this problem. My cameras are to far away or my house is too densely built (reinforeced concrete) that I cannot connect them to the router all at once. Might have to buy more routers then. any sellers here?
