I cam spy on you—from weaknesses in camera firmware to creepy messages delivered through baby surveillance systems—the Internet of Things (IoT) continues to present countless challenges as it hovers above the crossroad of security and privacy.
Recently I discovered Reddit poster Jenn & Tonic (J&T). Having initially purchased and returned a Netgear Arlo surveillance cam, J&T can now spy on the new owner—via the use of a previously associated Arlo account.
For the purpose of this article: I am assuming that the previous Arlo surveillance cam owner returned the camera to a Netgear authorized reseller and the new owners received a used product. It is interesting to note that if this is true—the returned surveillance cam spy system was obviously not set to factory defaults prior to resale.
My bigger concern was that Netgear doesn’t remove the cameras from my account when the new user adds them, or alert the new user that the cameras were previously activated. If anyone purchases a set of cameras, they have no way of knowing if anyone else is watching them. It’s disconcerting. — Reddit
Alerts go to wrong owner
J&T was unaware that they had access to the new owner’s live video feed until the Arlo service sent them an alert.
Once the Arlo cam detects motion it automatically sends an alert to the registered account owner. After receiving the alert: J&T logged into the account with the primary concern that their personal information was somehow compromised or “Netgear had been hacked or someone was using Netgear for a phishing expedition.” J&T further elaborated on Reddit: “I had NO idea that once logged in I would be able to see someone else’s live camera feed.” Disconcerting indeed!
IoT cam spy can spy on you
Obviously there are security and privacy concerns due to the J&T account digesting the live camera feed of the new owner. Whoever resold the surveillance cam suite did not default the camera unit to factory settings. Is it up to the previous owner to disconnect the Arlo account prior to returning the cam spy equipment, or is it up to the reseller? Though I sent a request to Arlo for more information regarding this incident—Arlo did not respond as of this writing.
- Set up base station.
- Register an Arlo account.
- Select base station’s serial number from a drop-down menu.
- Set up and sync cams.
The basic (free plan) allows up to five cams and automatically saves each video it records in Arlo cloud storage (seven days of cloud storage/up to one GB). You can’t download any of the recorded videos, you can only watch them.
All Arlo accounts offer:
- AES encryption.
- Strict password requirements.
- Account authentication over a secure HTTPS connection.
- Limited login attempts (a maximum of five login attempts over five minutes.)
To access Arlo videos, you merely need a login name and password. According to Arlo: Your user account is linked to your Arlo system and allows you to view videos from any Internet-connected computer or mobile device.
Though setup and access is very user friendly—consumer education is lacking.
Who is at fault?
I do not believe it is J&T. Why? Because I would probably be just as curious as they are about receiving a motion detection alert, for a cam that was no longer in my possession. Clearly, security and privacy design may be lacking. Though this is only one incident—how many other incidents of this nature are sitting around like ticking time bombs just waiting to be discovered?
Oh, the possibilities . . .
What would happen if the new cam owner continued ongoing surveillance and shared this with his or her friends? What if a preview into the new owner’s lifestyle portrayed kinky, unsavory or illicit activities? Would extortion become a possibility?
I also wonder how I would deal with looking into the lives of other people (without their knowledge and consent.) Would my curiosity cause me to peek into their lives sporadically or more frequently? How would I report it without suffering fear of retribution from unauthorized access via my Arlo account?
Adding consternation to my fear-fluffing questions—I discovered this YCombinator thread warning about potential legal ramifications (sending chills down my spine) :
If something like this happens to you – where you gain unauthorized access inadvertently to something – I’d be careful. Under the CFAA you can be charged criminally and the penalties are severe. So for example, if the OP was to casually drop a few photos the camera took and a badly worded warning in their mailbox trying to help, the ‘victim’ could report it to the police and an inexperienced DA might try to bag their first cyber prosecution.
I’d definitely not contact the customer. Contact the vendor instead with an email and immediately remove your own access to the system. That way you have it on record (the email) and mention in the email you immediately revoked your own access.
Let’s turn the tables—How would I feel if I was the new cam spy owner and totally oblivious that a previous owner could be spying on me? Creepy . . .
Delete the account
I am the type of person who likes rapid service with zero hassles. When deleting an online account, the last thing I want to do is make a phone call or log a request through a helpdesk system.
Deleting an Arlo account is not pain-free. You have to contact Arlo support and create a service desk ticket request. I guess I could tell the Arlo support team my concerns and have the account deleted and keep it between us.
My conscience dictates otherwise—Would my decision help further security and privacy for this product/service if the problem merely continued to reside in-house?
J&T did the right thing
According to this update on Reddit–Netgear is aware of the problem and the cam spy system was not supposed to be resold. It will be interesting to see how Netgear addresses this update.
It is a good thing I sat on this blog post for a few days . . .
Yesterday, Netgear responded in this Reddit thread:
Please know that NETGEAR has previously informed our resellers that retailers are not to resell cameras that have been returned, so the Arlo camera system in this instance was resold without our authorization. When setting up a previously owned camera it is advised that all Arlo cameras be reset from the original base station, which will clear connection with any previously existing account. The configuration for the cameras need to be cleared as the settings may contain the associated account information of the previous owner. NETGEAR is aware of this concern and takes the security of our customers seriously.
Additionally, NETGEAR has tested for a scenario in which randomized serial numbers would be used to gain access to an Arlo camera. From the testing we have conducted, NETGEAR has not seen a possible scenario where a random serial number plug-in would provide unauthorized access to a video stream.
The security of the Arlo camera system is by design and has been tested by independent analysts. NETGEAR also conducts bug bounty programs (which is a private program) to further ensure the security of our customer’s video streams.
NETGEAR takes the security of our customers seriously and is constantly monitoring for the latest threats. The security community’s efforts in creating a more secure world are appreciated. NETGEAR does value the reporting of security concerns and incidents that are related to our product offerings.
So, it does appear that the retailer would be at fault since the cam spy was resold without proper authorization from Netgear. But, what about all the other brands out there that are resold on Amazon, Craigslist, EBay and similar online marketplaces? What about the victims? Have they been notified? If not—will they someday stumble across this Reddit post and wonder if it could have been them?
The simple answer might be to never buy used or refurbished surveillance cams—but, we all know this answer is not practical or realistic.
Consumer education regarding product updates (in layman’s terms) that also address product/service security and privacy is needed. Providing easy access to clear, concise, and documented instructions could have prevented the new owner from becoming victim of unknown cam spy surveillance. Had the retailer not resold a used camera (still connected with the previous owner), this situation would not be plastered on Reddit right now. Perhaps it is meant to be another wake-up call (within the vast underbelly sea of IoT alarms), or maybe I am just thinking too deeply about the “what if’s.”
One thing is for sure—If we don’t take the time to rethink how security and privacy should work from the bottom-up, it will continue to remain a top-down deal. I think we need to go back to the basics starting with hardware, software and bake overall consumer security and privacy throughout entire systems and processes.
We’ve had three big ideas at Amazon that we’ve stuck with for 18 years, and thy’re the reason we’re successful: Put the customer first. Invent. And be patient. —Jeff Bezos, Founder Amazon
I’m all for a bottom-up revolution, how about you?