Update: CVE-2016-10115 and CVE-2016-10116 have been enlisted by MITRE. Refer to the following CVE entries:
In our ongoing curiosity of IoT products, we took a look at ARLO, a home security camera system from Netgear. ARLO is Netgear’s competing product to the Google Nest Dropcam. When I first researched network security cameras last summer ahead of a planned and lengthy vacation, ARLO was one of the security systems I had narrowed down. I installed it and it worked fairly well for me. In addition to having it for use, and with an increasing interest in IoT device security, I had a chance to reverse engineer ARLO.
After opening up the case, the board is fairly straightforward and uses Broadcom Wireless Router SoC.
UART Console Access
For my testing, I wanted to gain access to the console. I noticed a promising location on the left side of the board. After fiddling around a little bit with a multimeter, I identified 4 pins for UART. Basically, identifying UART pins is a simple process, especially when there are not many pinouts to probe (you can follow steps outlined ). From a vendor’s point of view, removing or disabling UART or JTAG pins can be a risky proposition as it will also remove the chances of debugging problematic devices. From the attacker’s point of view, it is a good entry point for further attacks.
After soldering the UART pins, I connected it to a USB-to-TTL adapter so that I could easily access the console from a host machine.
After covering up the board with UART cables out, I am ready for testing and debugging ARLO’s security system.
Before I go further, let me explain the basic network connections that ARLO uses. Between the base station (which is a big white Netgear box) and individual cameras, they establish their own wifi network. This is not the network that is intended to be used by home users; it is created by the base station and each camera will join the network. The base station and each camera have sync buttons and when you press them, a WPS system is invoked. There is a potential security issue during the sync process and I will cover that issue in our next blog. Between the base station and the ARLO cloud, it mostly uses a wired connection.
After you connect the UART cable and boot up the system, it shows a boot–up screen like the one shown below.
This is a common setup with embedded routers or network products. It uses an open–source boot manager and modified Linux system. It loads the main OS system from flash memory into main memory. One interesting aspect is that commonly, these IoT or embedded systems put password login at the console so that only the person who knows the password can get into the system. But with this product, there is no login or password protection. I could just get into BusyBox with root privilege. Now I am ready to explore the internal workings of the system.
Factory Reset Vulnerability
While investigating the security of this IoT device, I identified a simple bug. As similar with other router products, the Netgear ARLO base station has a reset button which restores the system to factory default settings. This is used most often when configurations are corrupted, or a problem occurs and a reset is required.
Personally, I was using ARLO system since last summer (2015), which is almost a year by now. During that time, I did numerous system resets whenever I felt like the system was unreliable or unstable. Presumably, it could be a common occurrence of others using this same system to have also performed factory resets. Below is an example of the system log file after a factory reset was initiated.
While experimenting with the ARLO security camera, I noticed that when the base station is factory reset, it loads a default wifi passphrase – which is 12345678 with a pseudo-random SSID in the format “NTGR_VMB_<10 digit numbers>“.
Passphrase – 12345678
SSID – NTGR_VMB_1462245431
This operation is performed by an executable that is run on the system by default “/bin/vzdaemon”. The following disassembly shows the routine performs the passphrase and SSID reset operation – I observed that the SSID reset is based upon the current date and time of the system.
After the factory reset, you can confirm that the wpa_psk and other values are reset to the default 12345678 string.
# nvram show|grep 12345
size: 25206 bytes (40330 left)
With basic Wi-Fi tools, one can easily locate these systems. Any systems with an SSID format of “NTGR_VMB_<10 random digits>” would more than likely be a Netgear device that was factory reset. The device that was implemented with some preset configurations uses an SSID with a format of “NETGEAR< 2 random digits>”. There are some man-made generated passwords with it, but we don’t have enough collections of base stations yet to discuss whether the passphrase is randomly generated or not.
Clearly, the Wi-Fi network is visible from the machines other than the ARLO cameras and can be joined using the default password of “12345678”.
After joining this network, I could access the ARLO base station. As I know the passphrase for this network, after collecting Wi-Fi packets from this network, I could decrypt the traffic to an unencrypted state which contained various JSON traffic between the base station and ARLO cameras. Beyond this basic communications traffic, I could also capture RTSP traffic – this is a protocol that carries the images and video stream from the ARLO cameras. This poses serious threats to physical security and safety of the consumers of the ARLO device.
To perform this Wi-Fi packet decryption, you need to capture Wi-Fi packets using monitoring mode. After that, generate PSK string using the wpa_passphrase tool from Linux.
Fig. 12 – Generate Pre-Shared Key (PSK)
With the Wi-Fi packet dumps opened from Wireshark, select Edit -> Preferences -> Protocols -> IEEE 802.11 -> Edit menu and add the PSK generated from the previous command.
Now you can see the list of decrypted network connections between the base station and cameras.
Replaying RTP Sessions
I saw various JSON traffic data, but on destination port 554 of the cameras, the base station actually sends RTSP requests.
From the RTSP protocol session, I could identify the UDP-based RSTP stream that contains actual camera footage. From the following log, I could deduce that the client is using 1038,1039 and server is using 9418 and 9419 as their UDP ports.
SETUP rtsp://18.104.22.168/live/track1 RTSP/1.0
If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT
RTSP/1.0 200 OK
Date: Tue, Jul 16 2014 20:10:37 GMT
From the list from UDP RTP sessions, I could easily locate the matching session.
The vulnerability I discovered only applies to systems that were factory reset at least once. To test the process required purchasing two camera systems. The new unit was already configured with a hard-coded passphrase set in the NVRAM (probably EPROM). But, when we performed a factory reset, the vzdaemon process will set factory default passphrase of “12345678” with an easily identifiable SSID pattern, and this passphrase can’t be reverted to any other passphrase! Ironically, only way to fix this yourself is that
Ironically, the only way to fix this yourself is for you to open up your box and run the NVRAM command yourself unless a vendor firmware update is provided.
Hypothetically, an attacker could snoop Wi-Fi SSID names to locate a system using the factory reset SSID, and join in the Wi-Fi camera network using the default password. They could then monitor the video stream, or potentially inject another video stream.
We notified the vendor of this issue and we are working together for the fix. In our next blog, we will discuss other potential security risks and attack vectors of the Netgear Arlo.
Update: Netgear addresses the vulnerability with a firmware update. For more information, see this link:
The v1.7.7_7171 update addresses two vulnerabilities:
- Fixes passphrase vulnerability (1-8 passphrase)
- Fixes brute force vulnerability of adj/noun/number passphrase seed by using random seed