Return to Level1Techs.com

ArloBaby Monitor Camera - How Secure is it Really?


#1

I’m delving into a new side of life – it is baby time! And of course we need a baby video monitor.

random_baby_monitor_pic

But do we go high tech with the WiFi and all the bells and whizz-bang features, or stick to a closed loop video monitor basic solution?

Since several years ago the fiasco and public awareness of hacked baby monitors (one example), it stands to reason we all should be cautious in our selection.

We decided that we preferred to have some of the great features that come hand-in-hand with the next-gen WiFi enabled baby monitor camera systems. Being the tech geek that I am, I did some basic preliminary research. As much as possible, we needed a pragmatic solution with as much “security and privacy” focus as is reasonable for such a product. Eventually (albeit with insufficient research and reference checking) I concluded that Arlo (backed by Netgear) is a great brand and seems to tout the highest security and privacy, and their “ArloBaby” product comes with a great set of features. And it’s pretty durned cute!

(will submit link refs in a subsequent comment as “new users” are restricted to 5)

In addition, I contacted Arlo directly and inquired about LOCAL STORAGE options (say to NFS/SAMBA), or the ability to disable “save to Arlo cloud” entirely. My default assumption here is that we should not trust any company with a video feed within our home. Unfortunately neither option was possible so claimed Arlo. Since I was unable to find an alternative that matched the feature-set and public praise (read: too lazy to keep researching), the order was placed. — A baby is on the way! We only have so much time …

I had a plan. Despite the Arlo Promise, and their verbal assurances over the telephone with support, I really wanted to see for myself. Specifically I set out to answer this question:

  • Does ArloBaby stay true to to communicating ONLY with their own servers?

At home I prepared for this unit’s arrival. Pulled out my old D-Link DI-624 from the drawer (the backup router), configured a basic temporary WiFi access point, setup a Linux network bridge through a spare PC (2x NICs), verified wireshark was setup to capture, and I was set. Simply put, I would set this thing up into my network over the required WiFi connection, capture all of its packets, and take a peek.

The device was ordered via CanadaComputers, and after a few days was ready for in-store pickup. Setup was unfortunately not a breeze, as it turns out the firmware shipped by default (an out-dated version of course) was unable to connect to my Wi-Fi systems at home, and needed a temporary access point (BASIC WPA2 no-AUTH) in order to connect, then I immediately upgraded the firmware, then reset to factory defaults, and started over.


And finally to the goods. In my “FIRST CONNECT”, I captured the full session for a long period of time which includes initial connection, accessing the online portal, starting/stopping the video feed etc.

(I’m about to use a tool called tshark, check this quick tutorial to learn more)

$ tshark -Q -z io,stat,120 -r arlobaby.pcap 

====================================
| IO Statistics                    |
|                                  |
| Duration: 1086. 42841 secs       |
| Interval:  120 secs              |
|                                  |
| Col 1: Frames and bytes          |
|----------------------------------|
|              |1                  |
| Interval     | Frames |   Bytes  |
|----------------------------------|
|    0 <>  120 |   4450 |  3617084 |
|  120 <>  240 |   4499 |  3884535 |
|  240 <>  360 |   2355 |  1924663 |
|  360 <>  480 |  11301 | 10153273 |
|  480 <>  600 |  12783 | 11839093 |
|  600 <>  720 |  12865 | 11349034 |
|  720 <>  840 |  11556 | 10324957 |
|  840 <>  960 |   6834 |  6141490 |
|  960 <> 1080 |   5030 |  4460220 |
| 1080 <> Dur  |     32 |     4565 |
====================================

The IP address of this device is 1.0.0.137, so excluding that host, let’s find ALL the hosts it talked to:

$ for REMOTE_HOST in $(tshark -Tfields -e "ip.dst" -r arlobaby.pcap | egrep -v 1.0.0.137 | sort --unique); do echo -n "$REMOTE_HOST : "; nslookup $REMOTE_HOST| egrep -o "name = .*"; done
1.0.0.1 : name = (SNIP_MY_ROUTER_HOSTNAME).
128.100.18.14 : name = tyme.utoronto.ca.
144.217.181.221 : name = node1.darktech.org.
206.108.0.131 : name = ntp1.torix.ca.
209.249.181.52 : name = 52.0-127.181.249.209.in-addr.arpa.
name = time-a.netgear.com.
name = time-d.netgear.com.
224.0.0.251 : 34.240.61.103 : name = ec2-34-240-61-103.eu-west-1.compute.amazonaws.com.
34.240.92.208 : name = ec2-34-240-92-208.eu-west-1.compute.amazonaws.com.
34.243.41.176 : name = ec2-34-243-41-176.eu-west-1.compute.amazonaws.com.
34.246.25.14 : name = ec2-34-246-25-14.eu-west-1.compute.amazonaws.com.
34.246.49.113 : name = ec2-34-246-49-113.eu-west-1.compute.amazonaws.com.
34.248.43.2 : name = ec2-34-248-43-2.eu-west-1.compute.amazonaws.com.
34.250.210.29 : name = ec2-34-250-210-29.eu-west-1.compute.amazonaws.com.
34.252.140.187 : name = ec2-34-252-140-187.eu-west-1.compute.amazonaws.com.
34.255.155.163 : name = ec2-34-255-155-163.eu-west-1.compute.amazonaws.com.
34.255.53.65 : name = ec2-34-255-53-65.eu-west-1.compute.amazonaws.com.
35.165.216.249 : name = ec2-35-165-216-249.us-west-2.compute.amazonaws.com.
52.16.21.84 : name = ec2-52-16-21-84.eu-west-1.compute.amazonaws.com.
52.16.230.110 : name = ec2-52-16-230-110.eu-west-1.compute.amazonaws.com.
52.19.207.116 : name = ec2-52-19-207-116.eu-west-1.compute.amazonaws.com.
52.210.169.18 : name = ec2-52-210-169-18.eu-west-1.compute.amazonaws.com.
52.210.178.59 : name = ec2-52-210-178-59.eu-west-1.compute.amazonaws.com.
52.213.2.9 : name = ec2-52-213-2-9.eu-west-1.compute.amazonaws.com.
52.213.94.140 : name = ec2-52-213-94-140.eu-west-1.compute.amazonaws.com.
52.214.186.19 : name = ec2-52-214-186-19.eu-west-1.compute.amazonaws.com.
52.24.38.54 : name = ec2-52-24-38-54.us-west-2.compute.amazonaws.com.
52.48.93.247 : name = ec2-52-48-93-247.eu-west-1.compute.amazonaws.com.
52.50.154.103 : name = ec2-52-50-154-103.eu-west-1.compute.amazonaws.com.
52.51.175.151 : name = ec2-52-51-175-151.eu-west-1.compute.amazonaws.com.
54.194.187.165 : name = ec2-54-194-187-165.eu-west-1.compute.amazonaws.com.
54.194.78.37 : name = ec2-54-194-78-37.eu-west-1.compute.amazonaws.com.
54.72.184.79 : name = ec2-54-72-184-79.eu-west-1.compute.amazonaws.com.
54.72.45.58 : name = ec2-54-72-45-58.eu-west-1.compute.amazonaws.com.
54.77.151.189 : name = ec2-54-77-151-189.eu-west-1.compute.amazonaws.com.

To further assess who owns these IPs/addresses, a more in depth check reveals:

$ for REMOTE_HOST in $(tshark -Tfields -e "ip.dst" -r arlobaby.pcap | egrep -v "1.0.0.1|1.0.0.137" | sort --unique); do echo; echo -n "$REMOTE_HOST : "; nslookup $REMOTE_HOST| egrep -o "name = .*"; whois $REMOTE_HOST | egrep -o "OrgName: .*"; done

128.100.18.14 : name = tyme.utoronto.ca.
OrgName:        University of Toronto

144.217.181.221 : name = node1.darktech.org.
OrgName:        OVH Hosting, Inc.

206.108.0.131 : name = ntp1.torix.ca.
OrgName:        Toronto Internet Exchange Community

209.249.181.52 : name = 52.0-127.181.249.209.in-addr.arpa.
name = time-a.netgear.com.
name = time-d.netgear.com.
OrgName:        Zayo Bandwidth

224.0.0.251 :  

34.240.61.103 : name = ec2-34-240-61-103.eu-west-1.compute.amazonaws.com.
OrgName:        Amazon Data Services Ireland Limited
OrgName:        Amazon Technologies Inc.

34.240.92.208 : name = ec2-34-240-92-208.eu-west-1.compute.amazonaws.com.
OrgName:        Amazon Data Services Ireland Limited
OrgName:        Amazon Technologies Inc.

34.243.41.176 : name = ec2-34-243-41-176.eu-west-1.compute.amazonaws.com.
OrgName:        Amazon Data Services Ireland Limited
OrgName:        Amazon Technologies Inc.

`(SNIP)` - the rest were AWS as expected

So now to do some initial “high level” hypothesizing:

  1. tyme.utoronto.ca - I live in Canada, presumably this is an NTP server
  2. node1.darktech.org - this is possibly concerning by name only
  3. ntp1.torix.ca - hmm another NTP server?
  4. 209.249.181.52 - some non-domain direct-IP, suspect
  5. time-X.netgear.com - OK more NTP ?
  6. ***.compute.amazonaws.com - great a bunch of AWS instances (not too surprised), how do we figure out if these are owned by Netgear/Arlo?

  1. tyme.utoronto.ca
    • Legit NTP:

.

$ tshark -Y "ip.dst == 128.100.18.14" -r arlobaby.pcap 
  156   6.757751    1.0.0.137 → 128.100.18.14 NTP 90 NTP Version 4, client
  380  33.798258    1.0.0.137 → 128.100.18.14 NTP 90 NTP Version 4, client
(snip)
59678 825.011669    1.0.0.137 → 128.100.18.14 NTP 90 NTP Version 4, client
71666 1070.224208    1.0.0.137 → 128.100.18.14 NTP 90 NTP Version 4, client
  1. node1.darktech.org (WHOIS shows from USA)
    • More NTP!

.

$ whois darktech.org | grep "Country"
Registrant Country: US

$ tshark -Y "ip.dst == 144.217.181.221" -r arlobaby.pcap   155   6.749201    1.0.0.137 → 144.217.181.221 NTP 90 NTP Version 4, client
 6377 134.938336    1.0.0.137 → 144.217.181.221 NTP 90 NTP Version 4, client
(snip)
71662 1064.190286    1.0.0.137 → 144.217.181.221 NTP 90 NTP Version 4, client
  1. ntp1.torix.ca

    • More NTP … (skipping snippets going forward NTP not interesting)
  2. 209.249.181.52

    • More NTP (from US as well)

.

$ whois 209.249.181.52 | egrep "OrgName|Country"
OrgName:        Zayo Bandwidth
Country:        US
  1. Also for 224.0.0.251, looks like some local broadcast stuff (likely for Arlo proprietary device chatter)

.

$ tshark -Y "ip.dst == 224.0.0.251" -r arlobaby.pcap
  427  61.011591    1.0.0.137 → 224.0.0.251  MDNS 327 Standard query response 0x0000 TXT, cache flush PTR _hap._tcp.local PTR ArloBabyF7._hap._tcp.local SRV, cache flush 0 0 5053 arlo-babycam.local A, cache flush 1.0.0.137 AAAA, cache flush fe80::a02:8eff:fe2c:3d56 NSEC, cache flush ArloBabyF7._hap._tcp.local NSEC, cache flush arlo-babycam.local
  428  63.912749    1.0.0.137 → 224.0.0.251  MDNS 481 Standard query response 0x0000 TXT, cache flush PTR _hap._tcp.local PTR ArloBabyF7._hap._tcp.local SRV, cache flush 0 0 5053 arlo-babycam.local PTR, cache flush arlo-babycam.local PTR, cache flush arlo-babycam.local A, cache flush 1.0.0.137 AAAA, cache flush fe80::a02:8eff:fe2c:3d56 NSEC, cache flush ArloBabyF7._hap._tcp.local NSEC, cache flush 137.0.0.1.in-addr.arpa NSEC, cache flush 6.5.D.3.C.2.E.F.F.F.E.8.2.0.A.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa NSEC, cache flush arlo-babycam.local
  531  85.706737    1.0.0.137 → 224.0.0.251  IGMPv2 60 Membership Report group 224.0.0.251
 6666 218.725898    1.0.0.137 → 224.0.0.251  IGMPv2 60 Membership Report group 224.0.0.251
11268 340.356045    1.0.0.137 → 224.0.0.251  IGMPv2 60 Membership Report group 224.0.0.251
21483 464.595817    1.0.0.137 → 224.0.0.251  IGMPv2 60 Membership Report group 224.0.0.251
26426 517.035942    1.0.0.137 → 224.0.0.251  MDNS 268 Standard query response 0x0000 PTR arlo-video-50D27BSU52EF7._arlo-video._tcp.local TXT, cache flush SRV, cache flush 0 0 554 arlo-babycam.local A, cache flush 1.0.0.137 AAAA, cache flush fe80::a02:8eff:fe2c:3d56 NSEC, cache flush arlo-video-50D27BSU52EF7._arlo-video._tcp.local NSEC, cache flush arlo-babycam.local
26617 518.360980    1.0.0.137 → 224.0.0.251  MDNS 268 Standard query response 0x0000 PTR arlo-video-50D27BSU52EF7._arlo-video._tcp.local TXT, cache flush SRV, cache flush 0 0 554 arlo-babycam.local A, cache flush 1.0.0.137 AAAA, cache flush fe80::a02:8eff:fe2c:3d56 NSEC, cache flush arlo-video-50D27BSU52EF7._arlo-video._tcp.local NSEC, cache flush arlo-babycam.local

The rest is AWS (Amazon Web Services)


Really not sure how to go about inspecting which company is behind these AWS instances without contacting Amazon directly one by one to inquire …

Suggestions welcome.


I also took a gander through the capture manually, and scanned for any unexpected and unencrypted packets.

For example, exclude all TCP control packets, SSL,
(((ip.src == 1.0.0.137 || ip.dst == 1.0.0.137)) && !(ssl)) && !(tcp.flags == 0x012 || tcp.flags == 0x010 || tcp.flags == 0x002 || tcp.flags == 0x011 || tcp.flags == 0x018 || tcp.flags == 0x004)

It was all the NTP, DNS, and local broadcast.


One other thing, what about that DNS? Let’s triple check. All DNS queries go out to my LOCAL router (per-DHCP, no unexpected external requests, though that in itself wouldn’t be bad).

Here’s the complete list of egress DNS requests:

.

$ tshark -Y "dns.flags == 0x0100" -r arlobaby.pcap  | awk '{print $12}' | sort --unique
advisor.ngxcld.com
arlocs02.vz.netgear.com
arlo-device.messaging.netgear.com
mcs.netgear.com
vzweb17-prod.vz.netgear.com
vzweb28-prod.vz.netgear.com
vzwow01-z1-prod.ar.arlo.com
vzwow08-z1-prod.ar.arlo.com
vzwow108-z1-prod.ar.arlo.com
vzwow116-z1-prod.ar.arlo.com
vzwow131-z1-prod.ar.arlo.com
vzwow135-z1-prod.ar.arlo.com
vzwow139-z1-prod.ar.arlo.com
vzwow23-z1-prod.ar.arlo.com
vzwow31-z1-prod.ar.arlo.com
vzwow43-z1-prod.ar.arlo.com
vzwow44-z1-prod.ar.arlo.com
vzwow57-z1-prod.ar.arlo.com
vzwow58-z1-prod.ar.arlo.com
vzwow63-z1-prod.ar.arlo.com
vzwow67-z1-prod.ar.arlo.com
vzwow69-z1-prod.ar.arlo.com
vzwow77-z1-prod.ar.arlo.com
xbroker19-z2.arloxcld.com

We see primarily netgear and arlo, (implicitly trusted I suppose). advisor.ngxcld.com is unknown and yet another tenant of AWS.


So there we have it! Seems “secure-ish” right? What are your thoughts? Do you have the same product and were curious? Have you done this exercise with other baby monitor devices?


#2

3 days


#3

In my humble opinion, I would have to say get rid of it. The fact there is no way to keep this device from calling home is a real breaker for me. I would replace the device with something else. Fact be told since I don’t like WiFi cameras because they are really easy to hack into. I would replace this device with an Ethernet camera and isolate it from the internet. Of course that is only my humble opinion. You can do what ever you want.


#4

Or use a raspberryPi. The camera for it should be good enough for the job.


#5

Don’t need a monitor.
Baby will cry loud . you will hear it.


#6

Not exactly what you’re asking but we use a 2.4ghz radio (audio only) monitor, I have tested it with a replacement and they werent interchangeable- so either on a different channel or encrypted, which has been ok for us. I haven’t tried too hard hacking or intercepting it, but my wife did buy a Kickstarted ‘smart’ monitor “Remi” which i was very uncomfortable using, so it went back in the box. After all that I realized I’m quite ok with audio only. Better battery life in general, anyway. Just my 2c


#7

probably should at least use 2fa :stuck_out_tongue:

Then again nothing is truly safe on the cloud. It’s always a compromise between convenience and safety/privacy. Given the vast amount of home LAN video monitoring solutions id spend some time looking for a home brew alternative, unless your really technically non-inclined or stretched for time. If you do go for off the shelf, make sure you use every available security feature and obviously unique passwords for one.


#8

These are a few of my research refs fwiw


#9

To address a few of the comments about “why not a home brew solution”; granted that’s arguably the best (and yet the worst) way to guarantee security. If you do it yourself, you can control the implementation and its not likely to be attached. On the flip side, if you do it yourself, you’re likely to miss some key security hole, or fail to keep the system updated properly, etc… Pros and Cons.

Ultimately it came down though to time and ease of use. I don’t have oodles of time to build it myself, and retaining the rich feature set is not feasible. Also it would require self-maintenance (yet another thing for me to fix and maintain if it breaks…). Finally, it needs to “just work” for my family. My wife is not tech savvy and we did not want to go down the path of an unreliable device.


#10

if you think the consumer cloud based systems you find will be kept up to date or keep you protected … hate to the bearer of bad news.

Do you watch level1news?


#11

I have to agree with @nx2l, It has been my experience and everything I have read says that security is the responsibility of the end user, the only services the cloud-based service has to provide is to make sure their computers and your instance is up and running. I have hears some cloud-based services do take care of security but charge so much only major corporations can afford that service.


#12

Me personally I have a Amcrest IP camera connected to a blue iris server. I have the IP cameras on a VLAN that drops all packets to and from the internet. So until Blue Iris is compromised It should be ok. Thats what I tell myself anyway. The Blue Iris server is only accessible from VPN or internally. I only have one port forward in my network and that is for Plex.


#13

Trying to get Arlo to comment on AWS services.


#14

fwiw, I also confirmed that the system DOES NOT send to cloud unless either:

  1. video recording
  2. taking pictures/snaps of video
  3. alerts are enabled (which may record/snap/audio)

When a monitoring device (i.e. tablet/phone) is connected to the same WiFi SSID, the stream is kept LOCAL within the network.


#15

In this case, I think that Arlo takes responsibility/ownership.