Arlo|Smart Home Security|Wireless HD Security Cameras
Arlo Community

[Security concerns] Unauthenticated access to camera Snapshots

Reply
Discussion stats
  • 3 Replies
  • ‎2019-03-19 11:42 AM
  • 1999 Views
  • 0 Likes
  • 2 In Conversation
vanzano
Guide
Guide
‎2019-03-19 11:42 AM

Hello Guys, I'll try to make this as simple as possible so everyone can understand why this should be a concern for those who care about security.

 

The problem: Anyone can access your camera snapshots if they have the URL, that means unauthenticated access to your data!

 

Scenario: You are browsing your Arlo cameras on a shopping/company/free/friends/whatever WIFI network. Lets suppose the network Admin/owner has SSL strip or any form of proxy/MITM device between you and the internet.

 

This case is very common in Corporate networks where your device trust an Intermediate Certificate authority. That is done to allow Firewalls/AV software to open your SSL tunnel and analyse your traffic.

 

So the exact moment when you open your ARLO mobile app it makes some calls:

 

  1. First it calls the authentication API - https://arlo.netgear.com/hmsweb/login/v2
  2. Second it calls de Device list API - https://arlo.netgear.com/hmsweb/users/devices

and after that it populates the thumbnails of your cameras with the last snapshot they took.

 

Once the APP calls the Device list API, it returns the URLS required to retrieve camera snapshots, but the problem is that anyone that possess the URL can access it from anywhere without being authenticated.

 

You can easly replicate this experiment doing the steps below:

 

Required Tools:

 

  1. Postman
  2. Basic knowledge of API/Calls

 

First step is authorizing yourself, like the mobile app do. To do so create a post call in Postman as demonstrated below:

 

URL: https://arlo.netgear.com/hmsweb/login/v2

Call type: POST

Headers: Content-Type:application/x-www-form-urlencoded

Body: {

               "email":"YOUR_ARLO_USERNAME@YOUR_EMAIL.COM",
              "password":"YOUR_ARLO_ACCOUNT_PASSWORD
          }
You'll get the response below:
arlo_auth_reply.png

 

Now do a get call to the device list url using the TOKEN value that you got after authenticating in the last step:

 

URL: https://arlo.netgear.com/hmsweb/users/devices

Type: GET

Headers: Authorization:INSERT_THE_VALUE_OF_TOKEN_FIELD_HERE

 

and you'll get a JSON, look for the ones where it says in the deviceType: camera. These devices are your cameras, you'll probably recognize them by the name you gave. At this point just copy the content of field presignedFullFrameSnapshotUrl and navigate to it on any browser and you'll get your camera snapshot. If you send it to a friend or anyone it will also work.

 

Screen Shot 2019-03-19 at 12.31.48 PM.png

 

So that all being said I would like to hear from Netgear/Arlo on this topic. To me it feels very unsafe to leave access to these URLS without authentication. What was the thought process behind it ?

 

Labels:
0 Likes
Reply
Message 1 of 4
1,999
3 REPLIES 3
AncientGeek
Hero
Hero
‎2019-03-19 12:14 PM

You should submit this on BugCrowd.

 

0 Likes
Reply
Message 2 of 4
1,989
vanzano
Guide
Guide
‎2019-03-19 12:25 PM
It’s not a bug. It was designed like that. It is working as intended.

The problem is that it’s unsafe.
0 Likes
Reply
Message 3 of 4
1,982
AncientGeek
Hero
Hero
‎2019-03-19 12:27 PM
@vanzano wrote:
It’s not a bug. It was designed like that. It is working as intended.

The problem is that it’s unsafe.

Many security problems were "designed that way".  This is a security problem.  I'd report it and see if Arlo agrees with you that it is a problem and if so, you might get a small check for your troubles.

0 Likes
Reply
Message 4 of 4
1,978
Discussion stats
  • 3 Replies
  • ‎2019-03-19 11:42 AM
  • 2000 Views
  • 0 Likes
  • 2 In Conversation

Arlo
Support

Visit our support page for answers from simple setup to security optimization. Search for something specific or select a product or category for helpful articles and videos.

Visit Arlo Support

Arlo App
for Support

For personalized support specific to the Arlo products you own, access Support from within the Arlo iOS or Android App. Simply login to your Arlo App, go to Settings, Support, then select the Arlo product you would like support for.