An additional product we examined in the field of security cameras within the scope of our IP camera quick test is the Arlo from Netgear. The manufacturer promotes the camera, which delivers a maximum resolution of 720p with a wide-angle lens and night vision, as follows: “The world’s first and only 100% wire-free, weatherproof, rechargeable HD smart security camera with audio and 130° viewing angle”. And indeed, this product delivered good results in our quick test, revealing no serious vulnerabilities.
Remote access to the camera is firmly secured and all connections to and from the device are protected as standard by the TLS 1.2 protocol. The camera is also secured against an attack by a potential Man-in-the-Middle – in the test, even using our own root certificate installed on the test smartphone, and in an attack using mitmproxy, we were not able to intercept and monitor the camera picture. The login to the app was successful anyway, however, which at least means that the certificate pinning is not consistently implemented for all areas of communication and at least the login process could be theoretically vulnerable to attack. The following illustration shows an excerpt from mitmproxy: It is true that the authentication process can be theoretically spied on, but in practical terms, this is not readily feasible for an attacker, however.
In the analysis of the corresponding Android application (tested version 2.0.3_12017), we noticed minor problems. There is no consistent use of code obfuscation, for example, and at the same time, the logcat is used for extremely comprehensive debug outputs, which, among other things, delivers information on URLs, session tokens and function calls used. With the Android Device Monitor, the logcat can be conveniently analyzed by an attacker. The following illustration shows an excerpt from log outputs produced by the application.
This makes it very easy for a potential attacker to identify security-relevant functions and to glean their mode of operation in a non-obfuscated source code – which is unnecessary in our view and can be prevented with minor improvements. In addition, it should be mentioned here that the application calls for access rights on the smartphone that are not totally plausible in every case and that the name of the user has to be entered for the registration and use of the camera.
All in all, the items listed, however, are not sufficient to downgrade the Netgear Arlo and there would have been insufficient justification to do so. The camera nonetheless creates a positive overall impression and in total earns the full 3-star rating in our quick test category.