Arlo|Smart Home Security|Wireless HD Security Cameras

Reply
Discussion stats
  • 4 Replies
  • 2178 Views
  • 0 Likes
  • 3 In Conversation
poutine
Aspirant
Aspirant

In both the Arlo web app, and android app, its interface lies to you and tells you that your video is deleted when they're not. There's no indication whatsoever that Netgear EVER deletes your videos.

 

Don't believe me? Check for yourself.

 


Using chrome's dev tools, for FireFox's, open the network tab, and go to arlo.netgear.com. After logging in, go to your saved videos. Play one of the videos you don't mind deleting later. In the network tab, you should see a signed S3 URL like so:

 

https://arlos3-prod-z2.s3.amazonaws.com/SOMELONGSTRING/recordings/14712434232892.mp4?AWSAccessKeyId=...

 

Copy that link and save it for later.

 

This link is a signed S3 link and is good for 24 hours.

 

Now click 'delete'. You'll receive a message saying your file was successfully deleted.

 

Open that link again? What's that? the video is still there! Open the link again in 23 hours, yup, video is still there.

 

It's not browser caching either, you'll notice you can open that link in a different browser and it still works just fine.

 

 

NETGEAR has never stated how long they keep your videos, and what they use them for, and they lie to you when you delete them. What if you accidentally had a video of you nude on there, or a loved one? NETGEAR could be archiving that stuff until the end of time, just waiting for a hacker to break into their AWS account.

4 REPLIES 4
jguerdat
Guru Guru
Guru

I'm confused.  You mention up to a day later but what about longer?

 

I suspect that backups have all videos "saved" but getting them pulled back would be a real issue.

TomMac
Guru Guru
Guru

As a PS to above, shared vids have a link live span of 24 hours before gone...is it possible the above somehow is related to that.

 

I'd check the link the next day to be sure after 24 hours+

--------------------------------------
Morse is faster than texting!
--------------------------------------
poutine
Aspirant
Aspirant

You're mistaken TomMac. A signed URL is just a way of protected a S3 bucket from unauthorized access. Just because a link expires does not mean that the content the link refered to is actually gone. The interface TELLS me that my content is deleted, but it's clearly not being deleted, why should I trust that it's deleted after 24 hours and not 23?

 

 

It's true I can not prove that they keep it past 24 hours (because I can not generate a URL signature, I'd need their AWS key to do that), but I strongly suspect that they don't considering they already lied to me and told me it was deleted when it wasn't.

 

TomMac
Guru Guru
Guru

Thanks for the info... Honestly I don't know the answer either.

 

Maybe they forward them to the NSA 🙂

--------------------------------------
Morse is faster than texting!
--------------------------------------