Arlo|Smart Home Security|Wireless HD Security Cameras
× Arlo End of Life Policy Notice
To view Arlo’s new End of Life Policy, click here.

Reply
Discussion stats
  • 15 Replies
  • 8695 Views
  • 6 Likes
  • 8 In Conversation
mrbobble
Follower
Follower

Can Arlo support help me here? I am a concerned user of the ArloQ camera.

Today there was a massive botnet based DDOS attack against DNS service provider Dyn. The attack was launched using a new tool, freely available online called Mirai. This attack crippled internet service on both seaboards of the US and parts of Europe. The attack was done using compromised Internet Of Things (IOT) devices. Specifically, the botnet used in today’s ongoing attack was built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products. Administrative credentials are hardcoded into it's products are uniform and cannot be changed (from a hackers perspective, once you take control of one product, you can essentially own them all)

 

Questions for you:

1. Does Netgear use products from XiongMai Technologies in it's own products?

2. What security is in place at Netgear to secure it's Arlo products. Are the administrative credentials unique and how are they protected/rotated?

2. How does Netgear plan to secure it's products so that they are not compromised in a way similar to the attack we saw this morning. Mirai is new but this is not the first massive DDOS attack since it's release to the public only weeks ago.

 

Thanks for your time.

 

 

15 REPLIES 15
JFQ
Aspirant
Aspirant

Thanks for the post. I was going to ask the same thing. as I have several Arlo cameras.

jguerdat
Guru Guru
Guru

I don't know enough to spit on relative to this subject.  However, it seems to me that the first issue is the security of your modem and router to be able to pass any malware on to the cameras and/or base. I can see more of an issue with smart TVs and such that are interactive with Internet web sites.  I believe the malware is being distributed by links and/or websites so I don't see Arlo as being a likely candidate.  Of course, the Arlo servers and your devices could be the source of the issue rather than the cameras/bases themselves.  All we can do at the moment is keep firmware and antivirus/malware software up to date and be cautious about what we click on.

 

Still, these are good questions which we may or may not get answers to.

GeneralPatten
Aspirant
Aspirant
I have not tested my own Arlo system, but this post, published 5 days ago, indicates that Arlo cameras are in fact vulnerable using telnet with the hard coded root password of "xc3511" (see "Netgear Arlo" under "Webcams - IP Cameras - DVRs) https://www.safegadget.com/139/hacked-internet-things-database/

According to more than one article (here is just one of many http://www.slate.com/blogs/future_tense/2016/10/21/the_east_coast_cyberattack_what_we_know_now.html), there's not much that can be done to fix it. The first article I posted does seem to indicate that the password can be changed however.


jguerdat
Guru Guru
Guru

I just tried to telnet to my Q and both bases without success on the default port of 23.  While that doesn't prove anything, it may not be that simple to gain access.  I/we would need more detail but I sure wouldn't be talking about it in the open.  There's a certain strength to "security by obscurity".  If you have more details (I followed your first link and didn't find anything of use) that you'd like to discus, PM me and we'll continue behind the scenes.

motjebben
Aspirant
Aspirant

 

Check out Kerckhoff's Principal and Shannon's maxim:  https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

 

I am still loving my Arlo system, but getting increasingly worried: first that it use WPS between cameras and base, secondly by this possible telnet insecurity that needs investigation, and by any implication that security through obscurity is a means to secure these cameras.  Perhaps only as the weakest link and only if it does not circumvent any stronger security.

 

Please, Netgear, keep improving the security of these otherwise awesome cameras!

 

 

 

 

jguerdat
Guru Guru
Guru

The WPS security issue is when using a PIN, not a push button. We recently had a discussion on this although not fully hashed out. Perceived weaknesses aren't necessarily the same as real ones.

 

I agree that more information is desired but I don't know that we'll ever know for sure short of someone opening their equipment and checking out components.  As I said before, I tried telnet and got nowhere but I'm not a hacker, kiddie or otherwise, to keep trying things.  Yes, Netgear needs to ensure that their equipment is secure but we also have a responsibility to be aware of what we're clicking on (this particular malware is activated by clicking on a link in an email) as well as to stay current with any equipment updates.  You can't be infected by just sitting there, at least for this iteration.

 

Edit:  This link (yes, it's safe) may provide some reassurance:

 

https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/

motjebben
Aspirant
Aspirant

Thank you for that particular link to Krebs's article!

 

It does seem that NAT may help some (as well as disabling Plug-n-Play, and not forwarding ports).

 

I am one of the participants in the earlier discussion on WPS where I linked the expert articles that indiate WPS Pushbutton is still a risk, because PIN is mandated by the WPS specification, even if Pushbutton is used.

 

Anyway, best wishes, and keep letting the arlo engineers know that security is still of great interest to us arlo users that really like our arlo systems!

 

 

jguerdat
Guru Guru
Guru

I've posed the question but I have no idea if/when/how it will be answered.

David321
Aspirant
Aspirant

This is funny... when we talk about security and credentials, and this board is sending me my password in plain tex instead of letting me configure it by myself, meh...

 

ok, I've been using many IP Camera's system from many sources, installed them in house, at the office, etc... and there is only one rule - cover your own ass 🙂

 

steps to take, when you're using IP cameras (it doesnt matter if they are provided by Netgear, TpLink, Foscam or other brand...)

 

1. Never use UPNP on your router or/and camera

 

2. Never use WPS or another stupid autoconfigure solution

 

3. Buy good router and another one better.. I own one of the top Asus routers and Netgear's firewall/VPN to manage VLAns and all the traffic (not the cheapest solition but you don't want to end up on internet with your pants down) - believe me, you can cascade your LAN inside another LAN or VLAN and make yourself not accessible. Netgear has a few VPN routers with gigabyte network support, they work perfectly as a gateways. Just make sure to use ProSafe v3, not earliers.

 

4. Block all internet traffic for connected devices (cameras) - assign them IP's manually, don't use DHCP, filter all the trafiic on LAN and WLAN with MAC filtering

 

5. Block and Filter all icoming traffic from LAN and WLAN to LAN devices you know

 

6. Watch your router's logs... IP cameras tend to PING unknown IP's for god knows what... I was told that it was for time synchronization but I've discovered many of these servers located in China, running various services, even Minecraft servers...

 

IOT was a bomb, ticking in the shadows, just cover your ass and then ask a questions 🙂

 

regards,

D

motjebben
Aspirant
Aspirant

Kudos to you, jguerdat, for asking!  It rarely hurts to ask, even if you don't get the answer you want.  If the one whom you ask penalizes you for asking, you might question why!   Much appreciated!

motjebben
Aspirant
Aspirant

Yipes, David321 !

 

Regarding your password:  Are you connecting to the community.netgear.com via https ?

 

Try doing so!  https://community.netgear.com

 

Cheers!

 

 

 

 

motjebben
Aspirant
Aspirant

A friend did a port scan and discovered that

port 5916 is open on the base station.  One can telnet to it or browse to it, but it is not obvious how this might allow one to take control of the base station.  Hopefully not.

 

 

donttrustthem
Star
Star

SO wh is there not a single response from Netgear on ANY of the security threads about DoS and botnet issues?  Having a few forum apologists theorize is not the same as a corporate definitive answer about any potential vulnerability and what will/can be done to ameliorate.

 

Netgear, what is the status of the Arlo cameras relative to the botnet issues?  Thank you, many people are waiting for the answer.

JamesC
Community Manager
Community Manager

NETGEAR is aware of the recent cyberattacks that exploit insecure Internet of Things (IoT) devices to create distributed denial of service (DDoS) botnets. We believe that these attacks highlight the importance of IoT security and NETGEAR is working to establish and uphold security standards for IoT devices.

 

Arlo is not vulnerable to the Mirai malware. From the early stages of product development and throughout the product lifecycle, we are committed to proactively reducing our users’ cyber risks. Vulnerability and penetration testing on Arlo products is performed to identify and eliminate security vulnerabilities while we also continuously monitor the latest threats and strive to keep abreast of the latest state-of-the-art security developments by working closely with our partners and the security researcher community.

 

If you have any questions or comments with regard to this information, please contact us at: security@netgear.com.

motjebben
Aspirant
Aspirant

Dear JamesC,

 

Thank you for the response and email link!  

 

I know first-hand and personally that building security into products is difficult but especially important.   Customers do care!  

 

Personally, I will pay more for a product which contains robust security features that are explained with transparency and reasonble detail (for me, the more technical the better), and that I can test for myself as much as possible.

 

I LOVE my arlo system!   Best wishes, and don't give up security for features!

 

Sincerely,

Mike