NETGEAR Arlo may need security school

It looks like the NETGEAR Arlo monitoring cameras have a security issue where other people can view your cameras. Based on the description on reddit, it looks like it should be reasonably difficult to accidently reproduce, but if it does NETGEAR needs to get on that quickly.

Update: NETGEAR responds…

 I bought and returned a set of WiFi connected home security cameras. Forgot to delete my account and I can now watch the new owner.

reddit

Here’s NETGEAR’s response, which indicates that the retailer shouldn’t have resold the unit.

NETGEAR has previously informed our resellers that retailers are not to resell cameras which have been returned. The Arlo camera system in this instance was resold without our authorization. When setting up a previously owned camera it is advised that all Arlo cameras be reset from the original base station, which will clear connection with any previously existing account. The configuration for the camera needs to be cleared as the settings may contain associated account information of the previous owner. NETGEAR is aware of this concern and takes the security of our customers seriously.

Additionally, NETGEAR has tested for various scenarios in which unauthorized access to an Arlo video might be possible ( including using randomized serial numbers ). From the testing we have conducted, NETGEAR has not seen a possible scenario where an unauthenticated user plugs in random serial numbers and has unauthorized access to a video stream.

The Arlo camera system is secured by design and has been tested by independent auditors and security researchers. NETGEAR also conducts bug bounty programs to further ensure the security of Arlo customer’s video streams and other NETGEAR products.