From Security Weekly Wiki
Jump to navigationJump to search

Tech Segment: Arlo Wireless Camera System Security

Arlo is a Netgear product line featuring wireless battery-powered cameras. They do update frequently and allow you to manage them from a cloud-based web interface or a mobile app. The cameras are decent quality and the motion settings are not reliable, but overall its a good system for the price. However, I do have some security concerns and more information:

The Bad

  1. No two-factor authentication - Fingerprint on mobile as a one factor, but no two-factor.
  2. Blackbox - Both the cameras and the controllers are 100% controlled from the cloud. Some models have an SD card, but no cloud means no management.
  3. No Security Settings - Encryption? No settings. Information about DoS protection? Very Little. (Some information: https://community.netgear.com/t5/Arlo-Knowledge-Base/How-does-NETGEAR-keep-my-Arlo-videos-private-and-secure-in-the/ta-p/3003)
  4. Steal My Camera - You can just grab it and use it one your own network. Tips on protecting your cameras: https://community.netgear.com/t5/Arlo-Idea-Exchange/Theft-Deterrent/idi-p/532

The Good?

  1. Firmware updates: https://community.netgear.com/t5/Arlo-Knowledge-Base/How-do-I-update-my-Arlo-firmware-manually/ta-p/4736 - Firmware updates are released automatically to all connected Arlo devices. Automatic updates happen between 3:00 a.m. and 5:00 a.m. to minimize camera downtime.
  2. Vulnerability (fixed): https://kb.netgear.com/30731/Arlo-WiFi-Default-Password-Security-Vulnerability?cid=wmt_netgear_organic - Arlo WiFi Default Password Security Vulnerability
  3. Another Vulnerability (fixed): http://blog.newskysecurity.com/2016/09/brute-force-vulnerability-netgear-arlo/ and this: http://blog.newskysecurity.com/2016/09/factory_reset_vuln_in_netgear_arlo/