Arlo|Smart Home Security|Wireless HD Security Cameras

Reply
Discussion stats
  • 30 Replies
  • 12637 Views
  • 2 Likes
  • 8 In Conversation
Timmy256
Apprentice
Apprentice

Hi guys,

 

As topic; where can I deauthorize third-party services that I've connected to my account, such as IFTTT? i've looked all over for it without any luck.

 

When connecting, it takes me to an URL in the format of: oauth.netgear.com, but I've found no other link in the Arlo interface to see what services are currently connected and how to revoke their access.

 

Hopefully there's a way and this wasn't overlooked, because if not, it would be quite a security issue.

 

Thanks.

30 REPLIES 30
TomMac
Guru Guru
Guru

in the meanwhile... you could change your account info

--------------------------------------
Morse is faster than texting!
--------------------------------------
Timmy256
Apprentice
Apprentice

Hi Tom, what do you mean by account info? The Arlo password? If so, OAuth authentications are tokens that don't take into consideration your username/password combination, so that wouldn't block the services from still being allowed to connect.

 

If there's now way, it would be a terribly security oversight, as we need to see a list of all the services connected to our accounts and be able to revoke them access at will.

TomMac
Guru Guru
Guru

Yes, but doesn't the client sw have your info when registered ?... as the token does not

--------------------------------------
Morse is faster than texting!
--------------------------------------
Timmy256
Apprentice
Apprentice

I'm not sure I'm understanding you... do you mean the client software? IFTTT (for example)?

 

It connects to Arlo based on the OAuth token that IFTTT saves when I confirm the access and Arlo/Netgear has a list of approved services that can access them on their servers. What we need, is a screen to be able to see those approved services and revoke them access.

 

Changing the user/password/etc in any of the services (Arlo, Netgear, IFTTT, etc.) wouldn't do anything and the connection would still be allowed.

 

Here's a nice example of a security theat. I somehow hack into your IFTTT account and get access to it. I can then create rules to know when you are in the house (motion detection), how many cameras do you have and where they are located (based on their name), I can profile you and get to learn your schedule after studying it for a couple of weeks (i.e. knowing when motion is detected every day and at what times [leaving for work in the morning? house is empty?] and predict a pattern of your behaviors and when you might be out of your house) and also know when your batteries are running low (so I then I can get in and steal the heck out of it!) Man Surprised The best part: you don't have any way to stop me from keep doing that (except deleting your Arlo account, but for that, you'd have to know that I've gain access to your IFTTT account)

 

If that scared you, then that's why we need to have a screen to revoke access to connected apps, as it's pretty much mandatory in any OAuth implementation (Google, Microsoft, Dropbox, Facebook; whichever service that use them, has them).

 

If we don't have that, maybe it's a nice time to escalate this. Maybe @JamesC can chime in here?

 

Thanks again

fuzzypixel
Guide
Guide

Assuming Netgear's auth is done correctly once you change your arlo account password the token used by IFTTT (or any other party which has your token) will no longer be valid, it will require re-authentication (with username/password) so that it can get a fresh one.

Timmy256
Apprentice
Apprentice

It's not part of the OAuth specs to determine if they should revoke the tokens on a password change. It depends of the implementation, as the tokens should be able to be individually revoked at will (imagine having to reauthenticate dozens of services on every password change).

 

Google for example, just during the end of last year started implementing the revoke of the tokens on a password reset (http://www.securityweek.com/google-revoke-oauth-20-tokens-upon-password-reset), as an additional securiy measure to their already "Connected Apps" interface, where you can see who is accessing your account and revoking them.

 

As of now, we don't know what Netgear is doing, how they implemented it and what are they doing to protect us.

fuzzypixel
Guide
Guide
But it's easy to test, isn't it? Authorize a service like if ttt and then change password on netgear website. If ifttt still works after a reasonable timeout then netgear isnt doing it right, if it asks you for new password then it works agents expected.

And of couse more granular token revocation would be better, but at least you would know you could use the hammer if needed.

Timmy256
Apprentice
Apprentice

I'd love to test it, but as I posted when I bought and set up the kit, IFTTT never works for me. It doesn't get triggered and always writes an error to its log instead.

 

IFTTT Arlo isn't Working - Returns "Error" All the... - NETGEAR Communities

islandboylp
Star
Star
I had the same question of how to revoke ifttt access if I choose, but also couldn't find anywhere to do this.

So I tested the theory of changing my arlo password in hopes that ifttt will require a re-auth, but this failed. Even with an arlo password change my ifttt triggered my arlo camera with no delay.

It's be good if netgear or part of the arlo team could comment on this.
Timmy256
Apprentice
Apprentice

Thanks for your comment islandboy. Hopefully, @JamesC from Netgear can comment on this.

Timmy256
Apprentice
Apprentice

Thanks for your workaround islandboy. I knew about that; I actually did that several times in order to troubleshoot why IFTTT doesn't work, but as you also said, that's not optimum and we need to revoke at the source. Imagine the case of having your IFTTT account stolen and someone snooping around with your cameras...

islandboylp
Star
Star

I agree Timmy!  Hopefully Netgear support will have a better answer for me soon.

 

On a side note...My previous post disappeared..?

 

islandboylp
Star
Star

Adding back my previous post for reference in case it helps anyone else...since it disappeared for some reason.

 

IFTTT allows disconnecting services from the Services settings.

 

From IFTTT FAQ: 

 

How do I change the account associated with a service?

Go to the service page you’d like to change.

  • Select Settings.
  • Select Edit connection.
  • Enter the login credentials for the account you want to use.

 

I accomplished this by logging into my IFTTT account, click on Services-->Arlo-->Settings which will bring you to this page, which has "Disconnect Arlo" at the bottom:

 

ARLO1.jpg

 

This isn't the best solution as revoking access from the source (Netgear) would ensure that the token is revoked, but this is better than noting at this point.

 

Timmy256
Apprentice
Apprentice

Yeah, your previous post dissapeared! Guess they couldn't handle the reality! Cat Embarassed

 

Timmy256
Apprentice
Apprentice

@JamesC, can you comment something on this security issue?


Thanks.

Timmy256
Apprentice
Apprentice

Well, how great that when you search "OAUTH Netgear" in Google, this thread is the first result that shows up, exposing the security issue that we have unaddressed here... Smiley Frustrated

JamesC
Community Manager
Community Manager

Timmy256,

 

I have escalated this topic. I will post an update when I have more information.

 

JamesC

Timmy256
Apprentice
Apprentice

Thanks for your reply @JamesC, hopefully you guys can fix this security issue with an UI to revoke access to third party apps.

Timmy256
Apprentice
Apprentice

Hi @JamesC, do you have any update on this issue so far?

 

Thanks.

JamesC
Community Manager
Community Manager

Timmy256,

 

I've requested an update on this issue. I will post again when I have more information.

 

JamesC

Timmy256
Apprentice
Apprentice

Hi @JamesC, any updates on this? It's been opened for too long and it's really starting to worry me. If you Google "netgear oauth security", it's the first result to show up, so I'm sure people would be interesting in knowing that you fix this vulnerability.

 

If it's not possible for you to update us here, could you please create a case for someone for support to contact me? I just want to deauthorize IFTTT access to my Arlo account, which has an already authorized token (which I can't see nor revoke, because the issue is that you don't have an UI to manage that)

 

Thanks.

JamesC
Community Manager
Community Manager

Ive requested an update. I will post with more information as soon as I can.]

 

JamesC

Timmy256
Apprentice
Apprentice

HI @JamesC, it's been more than two months since your last reply. Any updated on this subject? How can I deauthorize the token to stop a rogue; not owned by me anymore IFTTT account, from accessing my Arlo account in which it was previously authorized?

 

If you can't help me, can you please point me in the direction or create a proper customer support case for this issue?

 

Thanks again for your help addressing this security issue.

JamesC
Community Manager
Community Manager

Timmy256,

 

A back end release was deployed very recently that I believe addresses this issue (currently checking with engineering). If you change your Arlo password, does IFTTT still remain linked?

 

JamesC