Arlo
Support

RGH-BC · ‎2021-12-11

I helped a neighbour set up Port Forwarding on his Ultra 4K system 2 days ago and he’s now experiencing the same thing I am with my Ultra 4K. Both of are using an SD card for local storage. No subscription service.

After setting his up, the videos that he was getting notifications for were not showing up in the library (local storage, not cloud service). It was the same with his iPad and iPhone. As soon as he disabled port forwarding, the videos populated the library and were visible while at home on WiFi.
I then realized that I was missing many weeks of videos from my library (but hadn’t noticed because I just assumed they were there from notifications I’d been getting of camera activity).
I turned off my port forwarding and all of those stored videos were now visible in the library.
Could it be a iOS 15 conflict with the Arlo app? I think the issue of my storage not being visible coincides with when I updated my iPad and iPhone to iOS 15.

Retired_Member · ‎2021-12-11

I can't comment on the missing videos but I can't overstate how risky port forwarding can be when used with an IoT device like the Arlo SmartHub. You're basically giving every hacker on earth a direct communication path with the hub, which is inside your firewall and thus, if compromised, could potentially be hijacked and used to attack other devices on your network. That open communication path could potentially be exploited in other ways which I won't describe in detail but suffice it to say that just because the open port forwards to the hub today does not mean it will forward to the hub (and nothing else) tomorrow. You're relying on the hub and many other devices on your network being perfectly secure, un-hackable, which is a thing that does not exist. I'm not saying the hub isn't secure, I'm saying that to enable port forwarding to any IoT device is to bet that no hacker will ever find a way to exploit that configuration. If I had to choose between taking that risk for the years that the hub will be in operation or paying for a router with VPN capability, I'd go with the VPN option.

RGH-BC · ‎2021-12-11

Thank you for your insight; I’d hadn’t really given much thought to the vulnerability aspect to this configuration. I’m using an Arris XB7 which is provided by my ISP. I don’t see that it is made for VPN use. Can you suggest a router to add for use with the Arlo hub?

Retired_Member · ‎2021-12-11

Right off the bat I'll say that paying for the Arlo subscription and treating local storage as a backup in case your internet connect goes down is probably the better option, unless you are very concerned about having your videos stored in the cloud. Good VPN routers aren't cheap, setting them up is a hassle, and even the most sophisticated VPN server (which is what the router will be doing) can be hacked, though is still vastly safer than using port forwarding for this job.

That said, if I was doing this today I'd probably go for an Asus AX series Wi-Fi router. Their latest firmware (for AX models only) can function as a WireGuard server and lets you quickly export the VPN configuration as either text or via a QR code. This configuration can be imported onto your phone via the official WireGuard app, which is free on either Android or iOS. The WireGuard protocol is very fast and compared to older VPN protocols is very simple to configure. Installing the WireGuard app and importing the VPN configuration via QR code is vastly easier than other methods of configuring a VPN to a private server from a smartphone. I've owned a number of Asus products over the years and I've never regretted the purchase, though they're generally not cheap relative to their competitors. Note - I can't confirm this approach will work for accessing Arlo local storage. It should, I can't think of a reason why it wouldn't work, but I've never been able to get direct storage access working on my own phone even on local WiFi and I can't be bothered to figure out why.

If you do decide to implement your own VPN you may need to either request a static IP address from your ISP or configure a DDNS service. Without one or the other your phone will lose its connection to your VPN server whenever the public IP address on your home router changes.

Retired_Member · ‎2021-12-11

Correction to above post:

I just did some checking and while the Asus RT-AX58U is the VPN router I'd personally go for right now, WireGuard VPN server is not on the official tech specs for this model. OpenVPN server is listed, but not WireGuard. There is a beta firmware version available for this model which includes WireGuard server but I can't confirm whether this feature has made it into the official firmware release yet. If you were to buy one of these today you may need to setup the VPN using an older protocol or install the beta firmware version. Article linked below which describes the WireGuard server function though it's unclear whether the article refers to beta firmware or an official firmware release.

https://itigic.com/we-tested-wireguard-vpn-on-asus/

*EDIT* - this article does relate to the beta version. I checked the firmware release notes for this router model and WireGuard server is not in the official firmware release yet.

StephenB · ‎2021-12-12

@Retired_Member wrote:

I'm not saying the hub isn't secure, I'm saying that to enable port forwarding to any IoT device is to bet that no hacker will ever find a way to exploit that configuration. If I had to choose between taking that risk for the years that the hub will be in operation or paying for a router with VPN capability, I'd go with the VPN option.

I agree with the conclusion overall. But I would like to add that the hub isn't a usual IoT device - it's a specialized router. And Alro is providing frequent firmware updates to all the bases (including the really old ones), so they can push out security updates. Most IoT devices are not designed with security in mind, and are never updated.

So IMO, the risk of the hub being hacked is about the same as the risk of your main router being hacked. But I agree that a VPN is inherently more secure than port forwarding.

Retired_Member · ‎2021-12-12

Agreed about the security of the SmartHub likely being much better than the average IoT device, but not about the assumed quality or frequency of firmware updates on the hubs. I can't look at issues such as how the hub selects it's 2.4 GHz WiFi channel, at issues with certain camera models going offline until reset or at issues with how activity zones work and just assume that security flaws in hub firmware would be quickly identified and fixed. While it is very clear that Arlo have some very talented developers and engineers working for them it is also clear that they are either under-resourced in some areas or there is someone at a senior level at Arlo who is prone to making ludicrously bad decisions about what is and is not a priority for a company selling a security product.

StephenB · ‎2021-12-12

@Retired_Member wrote:

Agreed about the security of the SmartHub likely being much better than the average IoT device, but not about the assumed quality or frequency of firmware updates on the hubs.

I wasn't meaning to imply there was no risk - just meaning to say that Arlo had the tools in place to provide security updates. Given the lack of information in the release notes, there is no way to tell what security issues are being addressed. So opinions on this will certainly vary (and I think you will agree require some speculation either way).

We agree that a VPN is better (and FWIW, I am not forwarding ports to my own hubs). While I have used an iPhone for about a year now, I found that the OpenVPN built into my Orbi router didn't work for this with my Android phone. Not sure if that is still the case or not.

Retired_Member · ‎2021-12-12

Fair point about speculation - we just don't know. When I chose to buy Arlo I made a lot of assumptions about what the product would be like. Any security system that depends on WiFi is inherently vulnerable, but I assumed that that would be the only major limitation and that Arlo would have made every effort from the outset to address that limitation. I wanted a system that was quick and easy to install and would 'just work', without the hassle of running Ethernet cables to every camera. For the first few months I owned my Arlo system I literally could not believe that the issues I was seeing were due to flaws with the product. I assumed the issues must be on my side, my problem to solve, and so I spent a ridiculous amount of time on testing and experimentation to try to discover where I was going wrong. Those tests included utterly crazy stuff like (and I'm jot joking) placing a camera inside a microwave oven to see what happens when a camera loses it's WiFi connection for brief moments (a microwave is a functional Faraday cage for 2.4Ghz signals). Only when I became certain about the underlying causes of some problems did I start interacting with Arlo support staff, and that experience has been and still is utterly enraging. I'm now at a point where all my assumptions and speculations are negative.

Maybe the Arlo hub is safe and secure and all is well, or maybe you can hack it with a stopwatch. I'd believe anything at this point.

StephenB · ‎2021-12-12

FWIW, Arlo does publish CVEs after they've fixed the security issues. There haven't been very many, but there were two fixed this year. https://www.arlo.com/en-us/security-advisory.html

I'm also not seeing any third-party reports at https://cve.mitre.org/ that aren't in Arlo's list.

Elvina · ‎2022-04-14

Having the same issue. Submitted a request to Arlo Support Team in Aug 2021. They haven't found a solution yet for this issue. Receiving updates from Arlo team that they are still working on this issue.

Arlo Support

Arlo App for Support

Arlo
Support

Arlo App
for Support