Arlo|Smart Home Security|Wireless HD Security Cameras

Pro 2 was hacked? Have 2FA setup already.

Reply
Discussion stats
  • 6 Replies
  • 2476 Views
  • 0 Likes
  • 3 In Conversation
UpsetUser13
Aspirant
Aspirant
My Arlo Pro 2's were hacked 2 days in a row. On the first day, someone started moaning and screaming through the two cameras inside my house. On the second day they said "I really like your dogs.". They also triggered the Alarm system both days.
 
I have 2FA set up, and even if I log in on my personal computer I have to give permission for the login to occur. I'm beyond frustrated and freaked out, and ARLO does not keep a log of logins from devices and told me to just "change account email/password" when I called them for support.
6 REPLIES 6
jguerdat
Guru Guru
Guru

I don't really think you were hacked but if you're convinced, remove all devices from Settings, My Devices and start fresh, perhaps with a new account using a second email address. Before doing this note all settings, modes, rules, etc. to speed the rebuild.

StephenB
Guru Guru
Guru

@jguerdat wrote:

I don't really think you were hacked 


It doesn't sound like it to me either.  It sounds to me like someone was actually close enough to the cameras to trigger them.

 

Are you using audio alarms?  Or only the video ones?  If audio alarms are enabled, someone outdoors could potentially trigger an alarm (just by being loud enough).

UpsetUser13
Aspirant
Aspirant

My homebase is not audio enabled, so no sound would have been able to trigger the alarm. 

 

Also, to clarify, this is not me "hearing" someone yelling through the camera and me hearing it through the app - this is the camera being remotely controlled (as if through the App), and someone speaking to me through my own cameras just as if I was using the App to talk through the cameras.  These cameras are located in my house, and someone was telling me they love my dogs THROUGH my own cameras....

 

This indicates to me that they can: 
A) See through the camera to know that I HAVE dogs.

B) Speak THROUGH my cameras just like I can through the app interface.

 

What leads you to believe this was not a hack?  I'd like to understand as much as I can about this scenario so that I can defend against it moving forward.

 

 

StephenB
Guru Guru
Guru

@UpsetUser13 wrote:

this is not me "hearing" someone yelling through the camera and me hearing it through the app - this is the camera being remotely controlled (as if through the App), and someone speaking to me through my own cameras just as if I was using the App to talk through the cameras. 

 


Thanks, that does clarify the situation - and does sound like a hack.  Take a look at the 2FA settings, and see if there are any trusted devices that you don't recognize.  Also look at the friend access, since that would bypass 2FA.

 

If nothing is wrong there, and changing the arlo password doesn't help:  That suggests that something else has been hacked, and that your arlo password is being picked up from that device.  For instance, if you use chrome with sync, it could be your google account.  It could also be that a PC or mobile device has been hacked.  So in this case I recommend running a malware scan on any PCs and changing other passwords.  

UpsetUser13
Aspirant
Aspirant

Thank you for confirming.  The only trusted device was my wife's phone, and she also received no 2FA notifications.  We don't permit access to any friends, so we're the only two it could have been.

 

What I find so strange about this is that even if I log in from my personal Laptop - it prompts me on my phone to 2FA verify the login.....  

 

I've recently updated all of my accounts and passwords and disabled them from being stored in Google.  I've also done the recommended Malware scans and have tightened up my security in any way possible.  Trust me, this was a crash course on Network Security so I've been trying to do everything I can to protect against it in the future.

 

Thank you for your help.

StephenB
Guru Guru
Guru

@UpsetUser13 wrote:

Thank you for confirming.  The only trusted device was my wife's phone, and she also received no 2FA notifications.  We don't permit access to any friends, so we're the only two it could have been.

 

What I find so strange about this is that even if I log in from my personal Laptop - it prompts me on my phone to 2FA verify the login.....  

 


So 2FA is working as designed.  Did you also double-check that there is no "friend" access?  (I understand you didn't set that up, but if someone did have access via the main account, it's an obvious back door).