I have 2 Arlo pro 4s

---

@marademha wrote:

I have 2 Arlo pro 4s

---

And what exactly was uploaded?

If you use a DNS lookup tool, you will find that wowzachild.netgear.com doesn't exist.  So it is not possible to upload anything to it.  There is a wowzachild.arlo.com.  Not sure exactly how that is used, but it appears to be something to do with docusign.

My firewall says both cameras uploaded around  1mb of data on 2 occasions. This has only happened in the last few days. The typical upload locations of the camera are whitelisted 

Looking further they have uploaded up to over 200mb in the last 24 hours

Listed here ;

https://www.shodan.io/host/52.50.127.92

as in an SSL certificate;

 SSL Certificate

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=California, L=San Jose, O=Netgear, Inc., OU=IT, CN=wowza.netgear.com
        Validity
            Not Before: Aug 12 22:36:30 2016 GMT
            Not After : Aug  6 22:36:30 2041 GMT
        Subject: C=US, ST=California, L=San Jose, O=Netgear, OU=IT, CN=wowzachild.netgear.com

The IP listed in his window comes back to Amazon services

---

@marademha wrote:

 

My firewall says both cameras uploaded around  1mb of data on 2 occasions. This has only happened in the last few days. The typical upload locations of the camera are whitelisted 

 

---

No idea where the firewall got that domain name, since the three DNS lookup tools I tried said all there is no such host. The DNS entry for wowzachild.arlo.com isn't tied to an IP address, it appears to be a docusign ID of some kind.  You can check all this yourself if you like.

The 54.245.252.251 IP address is assigned to an Amazon AWS server.  I tried doing a reverse IP lookup with that address and just got the expected ec2-54-245-252-251.us-west-2.compute.amazonaws.com

This is the history, I recognise my devices connecting to these other servers as legitimate. 

I understand your information above.

So why would the devices be doing this?

If I block the domain with my firewall the Arlo cameras stop working.

How do I get Arlo to confirm these are legitimate requests.

---

@marademha wrote:

If I block the domain with my firewall the Arlo cameras stop working.

How do I get Arlo to confirm these are legitimate requests.

 

---

Contact Arlo support.  This is bizarre since the hostname doesn't exist in DNS.   The old SSL cert you found goes back to the time when Arlo was part of Netgear.  But that hasn't been the case since 2018. 

I don't think tier 1 support will be able to help, you'll probably need to get it escalated to tier 3.

I'm tagging the mods - @JamesC , @ShayneS , @BrookeN - to call their attention to your question.

I am looking into this. I will update you as soon as possible. 

Can you please get your Pro 4 back online so we can download the device logs?

How do I provide you the logs?

Sorry also , do you require my firewall stilling blocking or not

The logs would be on the server, not your camera. I would expect that the firewall should not be blocking so the system is working normally.

Ok, I have connected them back online. Sorry for delay 

Did this ever get figured out as I’m having the same issue with the same firewall. Suddenly a week ago (give or take some days) I’m getting a slew of alarms which typically would be due to the destination of traffic having suddenly changed. Has Arlo made any major changes recently? Perhaps running out of an alternative location for DR testing? 

---

@Seriously00021 wrote:

 Has Arlo made any major changes recently? Perhaps running out of an alternative location for DR testing? 

---

They haven't announced any.

In @marademha's case it is still connecting to an AWS server, and my guess is that is an Arlo server.  The puzzle is where the wowzachild.netgear.com domain name is coming from.

It’s a certificate, I think that was the signing domain possibly. If our devices are suddenly using the wrong certificate we would need to disconnect immediately. 

Good stuff, false alert then. Thanks!! 

These alerts are still flooding in and the IPs the base station is connecting to keep changing. Many of the IPs it’s talking to don’t even have 90 days of history being online. Is Arlo certain that base stations haven’t been compromised somehow? If it’s normal for Arlo to spin up servers and down them frequently to constantly have new IPs then it’s probably still the bizarre cert that’s setting off the alarm bells. It’s a bit creepy thinking the base station might be calling the wrong location and I’m tempted to block it until this is resolved or someone can say for sure that (one example of many) 44.238.119.216 should be something my base station or other device should be communicating with. I also have Arlo security. 

@Seriously00021 are you seeing that same domain? What is the behavior you are seeing can you tell me more details please. 

I’m not seeing domains now just IP addresses which is weird by itself but those IPs are saying they haven’t been seen on the internet for at least 90 days which is causing the security appliance to trigger warnings. The only time we can see the domain is if shodan has scanned the IP/domain the device is talking to and gotten back a certificate but these new IPs aren’t returning anything. I could probably give a list if 10 different IP addresses my base station and door bell (not linked to the station) they haven’t been seen before. This appliance has a heuristics engine which creates a traffic baseline for all devices behind it and around the time the OP compliant came in I got hit with it too. Since then it’s become a daily event where I get an “abnormal connection” event. If these IPs would resolve to a domain name it probably wouldn’t be an issue. It’s rare to see hardcoded IP addresses in modern code which raises more red flags but Arlo has always shown up like that when throwing one of these alerts so I assume it’s normal for the product.