Arlo|Smart Home Security|Wireless HD Security Cameras

Camers hacked after the recomended password change.

Reply
Discussion stats
  • 20 Replies
  • 25213 Views
  • 13 Likes
  • 10 In Conversation
Altme
Tutor
Tutor

Dear Arlo

 

Please be advised that following your security notice re: Arlo Security Cameras, change password; I immediately did as instructed and changed my password to a 15 character random, upper lower case, including allowed special charters, password.

 

Last night (5th June 2018) at approximately 2am (eastern Australian time) somebody was speaking over the voice intercom on one of my cameras, which would indicate that somebody has remote access to the cameras despite the password change.

 

I have changed the password again and this time rebooted the Arlo bas station however I find it VERY disturbing that access to the cameras might be compromised by a third party, could you look into this matter with the utmost urgency.

20 REPLIES 20
T2342344
Star
Star

Given this information and based on other disturbing security issues lately I request that Arlo gives users a view to the last logins information as well as implement MFA asap.

 

I have a feeling that the full severity of the latest security breach(es) is not reveled by Arlo because that would ruin the business.

Altme
Tutor
Tutor

Obviously more to it than just a pasword issue 😞 - it is a pretty creepy experience to wake up to some random person talking over what is suposed to be a secure intercom.

T2342344
Star
Star

Password change does not help if hackers have linked your account to OAuth service. As customers we also need a view to linked OAuth services.

Altme
Tutor
Tutor

If, as you say, an OAuth hack is the reason that I had/have someone accessing my cameras - and after investigating it seems like a plausible hypothesis - then is it reasonable to assume that despite password changes, ALL Arlo users are exposed and there is nothing they can do to stop it apart from disable the cameras!

 

Dear Netgear

According to the new Australian Mandatory Data breach legislation, Netger is required to inform Australian users of the following information.

 

  • the kinds of personal information involved in the breach
  • a description of the data breach
  • recommendations for what steps you can take in response

If this is an attack on the Arlo/Netgear system that cannot be rectified by users changing their passwords, then Netgerar has a legal obligation to inform its users that their cameras are potentially subject to unauthorised access by malicious third parties.

 

What measures is Netgear taking to inform users of the extent and nature of the security breach? Obviously telling users it was a "brute force attack" and to change their passwords is not sufficient information i.e. If this is an OAuth hack the obviously the only "recommendations for what steps you can take in response" are to tell users to turn off their cameras.

Altme
Tutor
Tutor

It happened again last night: 12:45 am and someone was talking on one of my cameras! I've had to turn off the base station so the cameras, at this time, are a useless (expensive) collection of junk.

 

How do I stop this happening Arlo? What is going on that some third party has access to my cameras and presumably my personal details in my profile?

rye_whiskey
Apprentice
Apprentice

We received no such notice.  Could it have been a phishing attempt and they acquired the password that way?

k-l-a
Tutor
Tutor
This company is awful! I’ve been asking for several years, why is there no “security” (2-step Authentication) with these cameras? Makes Zero sense! I’m sorry to hear of your beyond creepy experience, I’ve had my own and yet there is no solution after years of asking. I rate them a gutter ball!
k-l-a
Tutor
Tutor
I’ve been asking for several years, no response! It’s as if no ones home there. It’s maddening and frustrating that this is supposed to help us feel more secure, we’ve allocated all the funds and yet zero support, zero actual security, easily hacks me and not even 2-step auth available. I’m getting ready to file further complaints and get other more secure devices.
k-l-a
Tutor
Tutor
Exactly! Didn’t use mine for over a year due to the hacks! Expensive POC 💩
k-l-a
Tutor
Tutor
We demand 2-authentication + LOG IN history !
rye_whiskey
Apprentice
Apprentice

I agree this really should be done (increased security) but as I stated in a previous post, this sounds more like a phishing attempt if you clicked a link through an email.  No such password request here in the States.    NEVER just click a link for a password change like this.  Go directly to Arlo's site in a fresh browser and change it there.

 

Was this a specific thing for Australian customers?

Stottle
Aspirant
Aspirant
Is the voice over the speaker a possible radio interference issue ? I've heard truck drivers over my television before ! Radio frequency interference can do some pretty crazy things, and FCC rules state that any device must accept RF interference though it may be detrimental to the product by law.
JM2C.
arlo_mdfamily
Star
Star

this was my thought as well -- you probably got phished.

MelCay
Aspirant
Aspirant
What does the voice say?
Blayd
Tutor
Tutor

No reply from the company after this breach?! 

Now Nest has the same breach. 

I want a response from the company ASAP. 

rye_whiskey
Apprentice
Apprentice
This was not a company breach. It was a phishing scheme that worked.
Blayd
Tutor
Tutor

Yeah, I gotcha.

Artumis111
Tutor
Tutor
Your phishing theory is based upon assumption, not fact.

I don’t know if the specifics of the individual which started this thread, however; I do have insight in the similar realm.

I’ve had my arlo 2 Pro 5 camera system for about 5 days. I just picked it up from Costco and have been placing the cameras around my property.

I left one camera that I had synced on a shelf before I left for work today. My wife called me in a panic after she had been at home with our children for around 2-3 hours.

The camera VERY CLEARLY recorded someone other than myself speaking through it to my wife and children. They shouted something to the effect of, “HEY!”. One of my children even asked my wife who was talking.

Your phishing theory falls flat for two reasons:
1) I’ve set the account up through the arlo app. There have been no requests for password resets nor have I changed the password.

2) The password I set is one of the strong passwords safari will auto generate when requested. There is zero chance this password was brute forced or intercepted upon implementation.

If someone from Netgear would like a copy of the videos, I have them saved and they are still in my Netgear Cloud.
rye_whiskey
Apprentice
Apprentice

I'll concede a bit on that if you tell me you're using a quality router & security software and not just your internet provider's equipment to connect through.   The phishing and poor security are the two biggest ways creeps get in.   If you have a secure network there should be NO way for this to happen.

The_Wraith
Apprentice
Apprentice

What everyone has failed to accept as a possibility is that the authentication to  your Arlo system(s) is being obtained through keylogger software on your client machines (desktop/laptops or mobile devices).  It's quite conceivable that when you change  your password your activity is being monitored and logged due to poor client security, having nothing to do with Arlo system security.


Regards,
The Wraith