Arlo|Smart Home Security|Wireless HD Security Cameras

Reply
Discussion stats
  • 26 Replies
  • 2089 Views
  • 1 Like
  • 6 In Conversation
marademha
Tutor
Tutor

My device uploaded to wowzachild.netgear.com is this normal? I have not seen the before 

1 ACCEPTED SOLUTION

Accepted Solutions
marademha
Tutor
Tutor

I received the following from Arlo support...

As per Security and FW team, "The devices are in actuality NOT connecting to wowzachild.netgear.com. The router is reporting this due to the certificate on our streaming servers."

 

Our team are currently working on it to make sure it will display the correct certificate from your end"

View solution in original post

26 REPLIES 26
StephenB
Guru Guru
Guru

@marademha wrote:

My device uploaded to wowzachild.netgear.com is this normal? I have not seen the before 


What device?

 

That site doesn't exist.

marademha
Tutor
Tutor

I have 2 Arlo pro 4s

StephenB
Guru Guru
Guru

@marademha wrote:

I have 2 Arlo pro 4s


And what exactly was uploaded?

 

If you use a DNS lookup tool, you will find that wowzachild.netgear.com doesn't exist.  So it is not possible to upload anything to it.  There is a wowzachild.arlo.com.  Not sure exactly how that is used, but it appears to be something to do with docusign.

 

marademha
Tutor
Tutor

 

 

 

My firewall says both cameras uploaded around  1mb of data on 2 occasions. This has only happened in the last few days. The typical upload locations of the camera are whitelisted 

Screenshot_2024-07-13-09-13-52-14_4545f28b42adc70fa8c5512ab7172b94.jpg

marademha
Tutor
Tutor

Looking further they have uploaded up to over 200mb in the last 24 hours

TomMac
Guru Guru
Guru

Listed here ;

https://www.shodan.io/host/52.50.127.92

 

as in an SSL certificate;

 SSL Certificate

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=California, L=San Jose, O=Netgear, Inc., OU=IT, CN=wowza.netgear.com
        Validity
            Not Before: Aug 12 22:36:30 2016 GMT
            Not After : Aug  6 22:36:30 2041 GMT
        Subject: C=US, ST=California, L=San Jose, O=Netgear, OU=IT, CN=wowzachild.netgear.com

 

The IP listed in his window comes back to Amazon services

--------------------------------------
Morse is faster than texting!
--------------------------------------
StephenB
Guru Guru
Guru

@marademha wrote:

 

My firewall says both cameras uploaded around  1mb of data on 2 occasions. This has only happened in the last few days. The typical upload locations of the camera are whitelisted 


No idea where the firewall got that domain name, since the three DNS lookup tools I tried said all there is no such host. The DNS entry for wowzachild.arlo.com isn't tied to an IP address, it appears to be a docusign ID of some kind.  You can check all this yourself if you like.

 

The 54.245.252.251 IP address is assigned to an Amazon AWS server.  I tried doing a reverse IP lookup with that address and just got the expected ec2-54-245-252-251.us-west-2.compute.amazonaws.com

marademha
Tutor
Tutor

Screenshot_2024-07-13-10-45-45-53_4545f28b42adc70fa8c5512ab7172b94.jpg

 

Screenshot_2024-07-13-10-45-37-68_4545f28b42adc70fa8c5512ab7172b94.jpg

 

 

This is the history, I recognise my devices connecting to these other servers as legitimate. 

I understand your information above.

So why would the devices be doing this?

 

 

marademha
Tutor
Tutor

If I block the domain with my firewall the Arlo cameras stop working.

How do I get Arlo to confirm these are legitimate requests.

 

 

StephenB
Guru Guru
Guru

@marademha wrote:

If I block the domain with my firewall the Arlo cameras stop working.

How do I get Arlo to confirm these are legitimate requests.

 


Contact Arlo support.  This is bizarre since the hostname doesn't exist in DNS.   The old SSL cert you found goes back to the time when Arlo was part of Netgear.  But that hasn't been the case since 2018. 

 

I don't think tier 1 support will be able to help, you'll probably need to get it escalated to tier 3.

 

I'm tagging the mods - @JamesC , @ShayneS , @BrookeN - to call their attention to your question.

 

BrookeN
Arlo Moderator
Arlo Moderator

I am looking into this. I will update you as soon as possible. 

BrookeN
Arlo Moderator
Arlo Moderator

Can you please get your Pro 4 back online so we can download the device logs?

marademha
Tutor
Tutor

How do I provide you the logs?

marademha
Tutor
Tutor

Sorry also , do you require my firewall stilling blocking or not

jguerdat
Guru Guru
Guru

The logs would be on the server, not your camera. I would expect that the firewall should not be blocking so the system is working normally.

marademha
Tutor
Tutor

Ok, I have connected them back online. Sorry for delay 

Seriously00021
Aspirant
Aspirant

Did this ever get figured out as I’m having the same issue with the same firewall. Suddenly a week ago (give or take some days) I’m getting a slew of alarms which typically would be due to the destination of traffic having suddenly changed. Has Arlo made any major changes recently? Perhaps running out of an alternative location for DR testing? 

StephenB
Guru Guru
Guru

@Seriously00021 wrote:

 Has Arlo made any major changes recently? Perhaps running out of an alternative location for DR testing? 


They haven't announced any.

 

In @marademha's case it is still connecting to an AWS server, and my guess is that is an Arlo server.  The puzzle is where the wowzachild.netgear.com domain name is coming from.

marademha
Tutor
Tutor

I received the following from Arlo support...

As per Security and FW team, "The devices are in actuality NOT connecting to wowzachild.netgear.com. The router is reporting this due to the certificate on our streaming servers."

 

Our team are currently working on it to make sure it will display the correct certificate from your end"

Seriously00021
Aspirant
Aspirant

It’s a certificate, I think that was the signing domain possibly. If our devices are suddenly using the wrong certificate we would need to disconnect immediately. 

Seriously00021
Aspirant
Aspirant

Good stuff, false alert then. Thanks!! 

Seriously00021
Aspirant
Aspirant

These alerts are still flooding in and the IPs the base station is connecting to keep changing. Many of the IPs it’s talking to don’t even have 90 days of history being online. Is Arlo certain that base stations haven’t been compromised somehow? If it’s normal for Arlo to spin up servers and down them frequently to constantly have new IPs then it’s probably still the bizarre cert that’s setting off the alarm bells. It’s a bit creepy thinking the base station might be calling the wrong location and I’m tempted to block it until this is resolved or someone can say for sure that (one example of many) 44.238.119.216 should be something my base station or other device should be communicating with. I also have Arlo security. 

BrookeN
Arlo Moderator
Arlo Moderator

@Seriously00021 are you seeing that same domain? What is the behavior you are seeing can you tell me more details please. 

Seriously00021
Aspirant
Aspirant

I’m not seeing domains now just IP addresses which is weird by itself but those IPs are saying they haven’t been seen on the internet for at least 90 days which is causing the security appliance to trigger warnings. The only time we can see the domain is if shodan has scanned the IP/domain the device is talking to and gotten back a certificate but these new IPs aren’t returning anything. I could probably give a list if 10 different IP addresses my base station and door bell (not linked to the station) they haven’t been seen before. This appliance has a heuristics engine which creates a traffic baseline for all devices behind it and around the time the OP compliant came in I got hit with it too. Since then it’s become a daily event where I get an “abnormal connection” event. If these IPs would resolve to a domain name it probably wouldn’t be an issue. It’s rare to see hardcoded IP addresses in modern code which raises more red flags but Arlo has always shown up like that when throwing one of these alerts so I assume it’s normal for the product.