Arlo|Smart Home Security|Wireless HD Security Cameras

Reply
Discussion stats
  • 3 Replies
  • 2401 Views
  • 0 Likes
  • 2 In Conversation
vanzano
Guide
Guide

Hello Guys, I'll try to make this as simple as possible so everyone can understand why this should be a concern for those who care about security.

 

The problem: Anyone can access your camera snapshots if they have the URL, that means unauthenticated access to your data!

 

Scenario: You are browsing your Arlo cameras on a shopping/company/free/friends/whatever WIFI network. Lets suppose the network Admin/owner has SSL strip or any form of proxy/MITM device between you and the internet.

 

This case is very common in Corporate networks where your device trust an Intermediate Certificate authority. That is done to allow Firewalls/AV software to open your SSL tunnel and analyse your traffic.

 

So the exact moment when you open your ARLO mobile app it makes some calls:

 

  1. First it calls the authentication API - https://arlo.netgear.com/hmsweb/login/v2
  2. Second it calls de Device list API - https://arlo.netgear.com/hmsweb/users/devices

and after that it populates the thumbnails of your cameras with the last snapshot they took.

 

Once the APP calls the Device list API, it returns the URLS required to retrieve camera snapshots, but the problem is that anyone that possess the URL can access it from anywhere without being authenticated.

 

You can easly replicate this experiment doing the steps below:

 

Required Tools:

 

  1. Postman
  2. Basic knowledge of API/Calls

 

First step is authorizing yourself, like the mobile app do. To do so create a post call in Postman as demonstrated below:

 

URL: https://arlo.netgear.com/hmsweb/login/v2

Call type: POST

Headers: Content-Type:application/x-www-form-urlencoded

Body: {

               "email":"YOUR_ARLO_USERNAME@YOUR_EMAIL.COM",
              "password":"YOUR_ARLO_ACCOUNT_PASSWORD
          }
You'll get the response below:
arlo_auth_reply.png

 

Now do a get call to the device list url using the TOKEN value that you got after authenticating in the last step:

 

URL: https://arlo.netgear.com/hmsweb/users/devices

Type: GET

Headers: Authorization:INSERT_THE_VALUE_OF_TOKEN_FIELD_HERE

 

and you'll get a JSON, look for the ones where it says in the deviceType: camera. These devices are your cameras, you'll probably recognize them by the name you gave. At this point just copy the content of field presignedFullFrameSnapshotUrl and navigate to it on any browser and you'll get your camera snapshot. If you send it to a friend or anyone it will also work.

 

Screen Shot 2019-03-19 at 12.31.48 PM.png

 

So that all being said I would like to hear from Netgear/Arlo on this topic. To me it feels very unsafe to leave access to these URLS without authentication. What was the thought process behind it ?

 

3 REPLIES 3
AncientGeek
Hero
Hero

You should submit this on BugCrowd.

 

vanzano
Guide
Guide
It’s not a bug. It was designed like that. It is working as intended.

The problem is that it’s unsafe.
AncientGeek
Hero
Hero

@vanzano wrote:
It’s not a bug. It was designed like that. It is working as intended.

The problem is that it’s unsafe.

Many security problems were "designed that way".  This is a security problem.  I'd report it and see if Arlo agrees with you that it is a problem and if so, you might get a small check for your troubles.