I’m delving into a new side of life – it is baby time! And of course we need a baby video monitor.
But do we go high tech with the WiFi and all the bells and whizz-bang features, or stick to a closed loop video monitor basic solution?
Since several years ago the fiasco and public awareness of hacked baby monitors (one example), it stands to reason we all should be cautious in our selection.
We decided that we preferred to have some of the great features that come hand-in-hand with the next-gen WiFi enabled baby monitor camera systems. Being the tech geek that I am, I did some basic preliminary research. As much as possible, we needed a pragmatic solution with as much “security and privacy” focus as is reasonable for such a product. Eventually (albeit with insufficient research and reference checking) I concluded that Arlo (backed by Netgear) is a great brand and seems to tout the highest security and privacy, and their “ArloBaby” product comes with a great set of features. And it’s pretty durned cute!
(will submit link refs in a subsequent comment as “new users” are restricted to 5)
In addition, I contacted Arlo directly and inquired about LOCAL STORAGE options (say to NFS/SAMBA), or the ability to disable “save to Arlo cloud” entirely. My default assumption here is that we should not trust any company with a video feed within our home. Unfortunately neither option was possible so claimed Arlo. Since I was unable to find an alternative that matched the feature-set and public praise (read: too lazy to keep researching), the order was placed. — A baby is on the way! We only have so much time …
I had a plan. Despite the Arlo Promise, and their verbal assurances over the telephone with support, I really wanted to see for myself. Specifically I set out to answer this question:
- Does ArloBaby stay true to to communicating ONLY with their own servers?
At home I prepared for this unit’s arrival. Pulled out my old D-Link DI-624 from the drawer (the backup router), configured a basic temporary WiFi access point, setup a Linux network bridge through a spare PC (2x NICs), verified wireshark was setup to capture, and I was set. Simply put, I would set this thing up into my network over the required WiFi connection, capture all of its packets, and take a peek.
The device was ordered via CanadaComputers, and after a few days was ready for in-store pickup. Setup was unfortunately not a breeze, as it turns out the firmware shipped by default (an out-dated version of course) was unable to connect to my Wi-Fi systems at home, and needed a temporary access point (BASIC WPA2 no-AUTH) in order to connect, then I immediately upgraded the firmware, then reset to factory defaults, and started over.
And finally to the goods. In my “FIRST CONNECT”, I captured the full session for a long period of time which includes initial connection, accessing the online portal, starting/stopping the video feed etc.
(I’m about to use a tool called tshark, check this quick tutorial to learn more)
$ tshark -Q -z io,stat,120 -r arlobaby.pcap
====================================
| IO Statistics |
| |
| Duration: 1086. 42841 secs |
| Interval: 120 secs |
| |
| Col 1: Frames and bytes |
|----------------------------------|
| |1 |
| Interval | Frames | Bytes |
|----------------------------------|
| 0 <> 120 | 4450 | 3617084 |
| 120 <> 240 | 4499 | 3884535 |
| 240 <> 360 | 2355 | 1924663 |
| 360 <> 480 | 11301 | 10153273 |
| 480 <> 600 | 12783 | 11839093 |
| 600 <> 720 | 12865 | 11349034 |
| 720 <> 840 | 11556 | 10324957 |
| 840 <> 960 | 6834 | 6141490 |
| 960 <> 1080 | 5030 | 4460220 |
| 1080 <> Dur | 32 | 4565 |
====================================
The IP address of this device is 1.0.0.137, so excluding that host, let’s find ALL the hosts it talked to:
$ for REMOTE_HOST in $(tshark -Tfields -e "ip.dst" -r arlobaby.pcap | egrep -v 1.0.0.137 | sort --unique); do echo -n "$REMOTE_HOST : "; nslookup $REMOTE_HOST| egrep -o "name = .*"; done
1.0.0.1 : name = (SNIP_MY_ROUTER_HOSTNAME).
128.100.18.14 : name = tyme.utoronto.ca.
144.217.181.221 : name = node1.darktech.org.
206.108.0.131 : name = ntp1.torix.ca.
209.249.181.52 : name = 52.0-127.181.249.209.in-addr.arpa.
name = time-a.netgear.com.
name = time-d.netgear.com.
224.0.0.251 : 34.240.61.103 : name = ec2-34-240-61-103.eu-west-1.compute.amazonaws.com.
34.240.92.208 : name = ec2-34-240-92-208.eu-west-1.compute.amazonaws.com.
34.243.41.176 : name = ec2-34-243-41-176.eu-west-1.compute.amazonaws.com.
34.246.25.14 : name = ec2-34-246-25-14.eu-west-1.compute.amazonaws.com.
34.246.49.113 : name = ec2-34-246-49-113.eu-west-1.compute.amazonaws.com.
34.248.43.2 : name = ec2-34-248-43-2.eu-west-1.compute.amazonaws.com.
34.250.210.29 : name = ec2-34-250-210-29.eu-west-1.compute.amazonaws.com.
34.252.140.187 : name = ec2-34-252-140-187.eu-west-1.compute.amazonaws.com.
34.255.155.163 : name = ec2-34-255-155-163.eu-west-1.compute.amazonaws.com.
34.255.53.65 : name = ec2-34-255-53-65.eu-west-1.compute.amazonaws.com.
35.165.216.249 : name = ec2-35-165-216-249.us-west-2.compute.amazonaws.com.
52.16.21.84 : name = ec2-52-16-21-84.eu-west-1.compute.amazonaws.com.
52.16.230.110 : name = ec2-52-16-230-110.eu-west-1.compute.amazonaws.com.
52.19.207.116 : name = ec2-52-19-207-116.eu-west-1.compute.amazonaws.com.
52.210.169.18 : name = ec2-52-210-169-18.eu-west-1.compute.amazonaws.com.
52.210.178.59 : name = ec2-52-210-178-59.eu-west-1.compute.amazonaws.com.
52.213.2.9 : name = ec2-52-213-2-9.eu-west-1.compute.amazonaws.com.
52.213.94.140 : name = ec2-52-213-94-140.eu-west-1.compute.amazonaws.com.
52.214.186.19 : name = ec2-52-214-186-19.eu-west-1.compute.amazonaws.com.
52.24.38.54 : name = ec2-52-24-38-54.us-west-2.compute.amazonaws.com.
52.48.93.247 : name = ec2-52-48-93-247.eu-west-1.compute.amazonaws.com.
52.50.154.103 : name = ec2-52-50-154-103.eu-west-1.compute.amazonaws.com.
52.51.175.151 : name = ec2-52-51-175-151.eu-west-1.compute.amazonaws.com.
54.194.187.165 : name = ec2-54-194-187-165.eu-west-1.compute.amazonaws.com.
54.194.78.37 : name = ec2-54-194-78-37.eu-west-1.compute.amazonaws.com.
54.72.184.79 : name = ec2-54-72-184-79.eu-west-1.compute.amazonaws.com.
54.72.45.58 : name = ec2-54-72-45-58.eu-west-1.compute.amazonaws.com.
54.77.151.189 : name = ec2-54-77-151-189.eu-west-1.compute.amazonaws.com.
To further assess who owns these IPs/addresses, a more in depth check reveals:
$ for REMOTE_HOST in $(tshark -Tfields -e "ip.dst" -r arlobaby.pcap | egrep -v "1.0.0.1|1.0.0.137" | sort --unique); do echo; echo -n "$REMOTE_HOST : "; nslookup $REMOTE_HOST| egrep -o "name = .*"; whois $REMOTE_HOST | egrep -o "OrgName: .*"; done
128.100.18.14 : name = tyme.utoronto.ca.
OrgName: University of Toronto
144.217.181.221 : name = node1.darktech.org.
OrgName: OVH Hosting, Inc.
206.108.0.131 : name = ntp1.torix.ca.
OrgName: Toronto Internet Exchange Community
209.249.181.52 : name = 52.0-127.181.249.209.in-addr.arpa.
name = time-a.netgear.com.
name = time-d.netgear.com.
OrgName: Zayo Bandwidth
224.0.0.251 :
34.240.61.103 : name = ec2-34-240-61-103.eu-west-1.compute.amazonaws.com.
OrgName: Amazon Data Services Ireland Limited
OrgName: Amazon Technologies Inc.
34.240.92.208 : name = ec2-34-240-92-208.eu-west-1.compute.amazonaws.com.
OrgName: Amazon Data Services Ireland Limited
OrgName: Amazon Technologies Inc.
34.243.41.176 : name = ec2-34-243-41-176.eu-west-1.compute.amazonaws.com.
OrgName: Amazon Data Services Ireland Limited
OrgName: Amazon Technologies Inc.
`(SNIP)` - the rest were AWS as expected
So now to do some initial “high level” hypothesizing:
-
tyme.utoronto.ca- I live in Canada, presumably this is an NTP server -
node1.darktech.org- this is possibly concerning by name only -
ntp1.torix.ca- hmm another NTP server? -
209.249.181.52- some non-domain direct-IP, suspect -
time-X.netgear.com- OK more NTP ? -
***.compute.amazonaws.com- great a bunch of AWS instances (not too surprised), how do we figure out if these are owned by Netgear/Arlo?
-
tyme.utoronto.ca- Legit NTP:
.
$ tshark -Y "ip.dst == 128.100.18.14" -r arlobaby.pcap
156 6.757751 1.0.0.137 → 128.100.18.14 NTP 90 NTP Version 4, client
380 33.798258 1.0.0.137 → 128.100.18.14 NTP 90 NTP Version 4, client
(snip)
59678 825.011669 1.0.0.137 → 128.100.18.14 NTP 90 NTP Version 4, client
71666 1070.224208 1.0.0.137 → 128.100.18.14 NTP 90 NTP Version 4, client
-
node1.darktech.org(WHOIS shows from USA)- More NTP!
.
$ whois darktech.org | grep "Country"
Registrant Country: US
$ tshark -Y "ip.dst == 144.217.181.221" -r arlobaby.pcap 155 6.749201 1.0.0.137 → 144.217.181.221 NTP 90 NTP Version 4, client
6377 134.938336 1.0.0.137 → 144.217.181.221 NTP 90 NTP Version 4, client
(snip)
71662 1064.190286 1.0.0.137 → 144.217.181.221 NTP 90 NTP Version 4, client
-
ntp1.torix.ca- More NTP … (skipping snippets going forward NTP not interesting)
-
209.249.181.52- More NTP (from US as well)
.
$ whois 209.249.181.52 | egrep "OrgName|Country"
OrgName: Zayo Bandwidth
Country: US
- Also for
224.0.0.251, looks like some local broadcast stuff (likely for Arlo proprietary device chatter)
.
$ tshark -Y "ip.dst == 224.0.0.251" -r arlobaby.pcap
427 61.011591 1.0.0.137 → 224.0.0.251 MDNS 327 Standard query response 0x0000 TXT, cache flush PTR _hap._tcp.local PTR ArloBabyF7._hap._tcp.local SRV, cache flush 0 0 5053 arlo-babycam.local A, cache flush 1.0.0.137 AAAA, cache flush fe80::a02:8eff:fe2c:3d56 NSEC, cache flush ArloBabyF7._hap._tcp.local NSEC, cache flush arlo-babycam.local
428 63.912749 1.0.0.137 → 224.0.0.251 MDNS 481 Standard query response 0x0000 TXT, cache flush PTR _hap._tcp.local PTR ArloBabyF7._hap._tcp.local SRV, cache flush 0 0 5053 arlo-babycam.local PTR, cache flush arlo-babycam.local PTR, cache flush arlo-babycam.local A, cache flush 1.0.0.137 AAAA, cache flush fe80::a02:8eff:fe2c:3d56 NSEC, cache flush ArloBabyF7._hap._tcp.local NSEC, cache flush 137.0.0.1.in-addr.arpa NSEC, cache flush 6.5.D.3.C.2.E.F.F.F.E.8.2.0.A.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa NSEC, cache flush arlo-babycam.local
531 85.706737 1.0.0.137 → 224.0.0.251 IGMPv2 60 Membership Report group 224.0.0.251
6666 218.725898 1.0.0.137 → 224.0.0.251 IGMPv2 60 Membership Report group 224.0.0.251
11268 340.356045 1.0.0.137 → 224.0.0.251 IGMPv2 60 Membership Report group 224.0.0.251
21483 464.595817 1.0.0.137 → 224.0.0.251 IGMPv2 60 Membership Report group 224.0.0.251
26426 517.035942 1.0.0.137 → 224.0.0.251 MDNS 268 Standard query response 0x0000 PTR arlo-video-50D27BSU52EF7._arlo-video._tcp.local TXT, cache flush SRV, cache flush 0 0 554 arlo-babycam.local A, cache flush 1.0.0.137 AAAA, cache flush fe80::a02:8eff:fe2c:3d56 NSEC, cache flush arlo-video-50D27BSU52EF7._arlo-video._tcp.local NSEC, cache flush arlo-babycam.local
26617 518.360980 1.0.0.137 → 224.0.0.251 MDNS 268 Standard query response 0x0000 PTR arlo-video-50D27BSU52EF7._arlo-video._tcp.local TXT, cache flush SRV, cache flush 0 0 554 arlo-babycam.local A, cache flush 1.0.0.137 AAAA, cache flush fe80::a02:8eff:fe2c:3d56 NSEC, cache flush arlo-video-50D27BSU52EF7._arlo-video._tcp.local NSEC, cache flush arlo-babycam.local
The rest is AWS (Amazon Web Services)
Really not sure how to go about inspecting which company is behind these AWS instances without contacting Amazon directly one by one to inquire …
Suggestions welcome.
I also took a gander through the capture manually, and scanned for any unexpected and unencrypted packets.
For example, exclude all TCP control packets, SSL,
(((ip.src == 1.0.0.137 || ip.dst == 1.0.0.137)) && !(ssl)) && !(tcp.flags == 0x012 || tcp.flags == 0x010 || tcp.flags == 0x002 || tcp.flags == 0x011 || tcp.flags == 0x018 || tcp.flags == 0x004)
It was all the NTP, DNS, and local broadcast.
One other thing, what about that DNS? Let’s triple check. All DNS queries go out to my LOCAL router (per-DHCP, no unexpected external requests, though that in itself wouldn’t be bad).
Here’s the complete list of egress DNS requests:
.
$ tshark -Y "dns.flags == 0x0100" -r arlobaby.pcap | awk '{print $12}' | sort --unique
advisor.ngxcld.com
arlocs02.vz.netgear.com
arlo-device.messaging.netgear.com
mcs.netgear.com
vzweb17-prod.vz.netgear.com
vzweb28-prod.vz.netgear.com
vzwow01-z1-prod.ar.arlo.com
vzwow08-z1-prod.ar.arlo.com
vzwow108-z1-prod.ar.arlo.com
vzwow116-z1-prod.ar.arlo.com
vzwow131-z1-prod.ar.arlo.com
vzwow135-z1-prod.ar.arlo.com
vzwow139-z1-prod.ar.arlo.com
vzwow23-z1-prod.ar.arlo.com
vzwow31-z1-prod.ar.arlo.com
vzwow43-z1-prod.ar.arlo.com
vzwow44-z1-prod.ar.arlo.com
vzwow57-z1-prod.ar.arlo.com
vzwow58-z1-prod.ar.arlo.com
vzwow63-z1-prod.ar.arlo.com
vzwow67-z1-prod.ar.arlo.com
vzwow69-z1-prod.ar.arlo.com
vzwow77-z1-prod.ar.arlo.com
xbroker19-z2.arloxcld.com
We see primarily netgear and arlo, (implicitly trusted I suppose). advisor.ngxcld.com is unknown and yet another tenant of AWS.
So there we have it! Seems “secure-ish” right? What are your thoughts? Do you have the same product and were curious? Have you done this exercise with other baby monitor devices?
