Bought and returned set of WiFi home security cameras; can now watch new owner

If something like this happens to you - where you gain unauthorized access inadvertently to something - I&#x27;d be careful. Under the CFAA you can be charged criminally and the penalties are severe.<p>So for example, if the OP was to casually drop a few photos the camera took and a badly worded warning in their mailbox trying to help, the &#x27;victim&#x27; could report it to the police and an inexperienced DA might try to bag their first cyber prosecution.<p>I&#x27;d definitely not contact the customer. Contact the vendor instead with an email and immediately remove your own access to the system. That way you have it on record (the email) and mention in the email you immediately revoked your own access.<p>The CFAA is a blunt and clumsy instrument that tends to injure bystanders.<p>Here&#x27;s an extract from the CFAA:<p><i>Whoever having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;</i><p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Computer_Fraud_and_Abuse_Act" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Computer_Fraud_and_Abuse_Act</a>

These types of exceeding invasive products need to have their damages tested in courts. After a few lawsuits and payouts the liabilty will begin to increase and that will force companies to adapt&#x2F;improve or go under.<p>The problem is our entire generation doesn&#x27;t care about privacy. They willingly hand over everything about them to an app and care not a single drop that their government spies on them without a warrant.

I have a handful of D-Link cameras, and plan to buy more.<p>D-Link offers some sort of cloud service, but I&#x27;ve never used it. I keep the cameras segregated onto a separate Wifi network that can&#x27;t access the internet, and they work just fine in that configuration. The cameras have built-in HTTP servers and present what they see as an MJPEG stream. I use &#x27;motion&#x27; running on a machine to handle motion detection, recording, etc. I use a VPN server to handle my remote access needs.<p>I get everything that the cloud stuff offers, but all hosted locally.<p>What&#x27;s described in the article scares me, which is why I&#x27;ve set things up the way I have. Even if the cameras were used (they weren&#x27;t) and tied to someone else&#x27;s account, they can&#x27;t send anything back to the cloud service.

&quot;I&#x27;m not mistaken, anyone could get the serial number off your cameras and link them to their online account, to watch and record your every move without your permission.&quot;<p>There&#x27;s a name for a hacking strategy where you mass purchase products, modify it or acquire relevant information, then resell them or return them. &quot;Catch and release&quot; comes to mind, but I can&#x27;t find any references.

<i>I set up an online account</i><p>The title is missing an important fact: these are not traditional network cameras, they&#x27;re ones that apparently stream video into the cloud.<p>Those cameras that do not &quot;phone home&quot; to a cloud service don&#x27;t have this problem; the ones that you can set up with a username&#x2F;password and then connect directly to from the network. Ironically it&#x27;s the cheap no-name ones that usually work like this, as the company just sells the hardware and isn&#x27;t one to bother with their own set of servers&#x2F;accounts&#x2F;etc.<p>IMHO these cameras that do rely on a third-party service are to be avoided, since what happens to that service is completely out of your control.

HN readers: Do you think the engineers knew?<p>I ask because I&#x27;ve worked on various products, and single units change hands between engineers <i>constantly</i>. Phones for testing, accounts with shared dev passwords, the actual hardware, all kinds of test units get spun up and passed around, even on crappy products where the engineers&#x27; imaginations are the only QA.<p>Surely one engineer set up a camera, passed it along to another engineer, who set up the camera and encountered this error?<p>There are lots of classes of error that can hide in a product, but this feels like one that it&#x27;s nearly impossible not to hit.

Props to Dropcam&#x2F;Nest for solving this problem.<p>My brother gave me his Dropcam after setting it up for himself, and I had to prove my identity <i>and</i> he had to prove his to get them to move the camera to my account. It was a hassle at the time, but I was glad to know that they at least had decent security.

I&#x27;ve tried finding a camera that has a server that can encrypt traffic, and I can&#x27;t. It&#x27;d be nice to have access from outside of my network but I don&#x27;t trust it. It really took me by surprise how bad at security these things are. I guess I could set up some kind of vpn but I assumed when I bought it I could enable ssl or something.

Systems that provide an online account tied to a physical device have to be carefully designed for transfer of ownership scenarios, and it sounds like they didn&#x27;t do the work here, or else something went wrong and the resulting error state is unfortunate.

You can more than likely pick up the serial through the web-admin panel that these cameras expose on the local network.<p>God forbid they have a wireless AP with the serial number somehow encoded in the SSID.<p>How is it that these companies still don&#x27;t give security a passing concern?

I had the same problem with a WD home server. I returned it when it wouldn&#x27;t do what it was supposed to do. Later, I started receiving emails from the server as it kept me up-to-date on its status.

<a href="https:&#x2F;&#x2F;twitter.com&#x2F;internetofshit?lang=en" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;internetofshit?lang=en</a>

Until people start demanding security, and become willing to pay for it, the IoT is going to be positively defined by this kind of nonsense. That, or some kind of legislative action I guess, but that seems like pure fantasy.

I guess the devops team can view all of them

Seen this same method applied to used equipment for sale, especially if it was stolen.<p>Basically, someone steals a laptop, wipes it, reinstalls the OS with backdoors, sells the laptop for cash, exploits backdoor access to own other devices, exploits owned devices, etc.

this is a general class of problems that is only going to get bigger.<p>When I returned my lease car I had to have a bit of a think about what might be sync&#x27;d from my phone via bluetooth with it, and what functionality existed to erase that. The answers didn&#x27;t make me feel great.<p>The fun pastime of buying old HDD&#x27;s off ebay and carving deleted files off them to see what might be kicking about is going to get a whole lot more interested with everything-connected society moving forward.

What&#x27;s with the &quot;cloud&quot; security systems? Why don&#x27;t they just provide hardware where you store the information locally?<p>Ignoring the privacy implications mentioned here, and that you esentially pay monthly&#x2F;yearly for storage, if your ISP has an outage your security system is becoming useless. It also is a weak point for smarter thieves (just make sure that Internet access is cut).

NETGEAR has previously informed our resellers that retailers are not to resell cameras which have been returned. The Arlo camera system in this instance was resold without our authorization. When setting up a previously owned camera it is advised that all Arlo cameras be reset from the original base station, which will clear connection with any previously existing account. The configuration for the camera needs to be cleared as the settings may contain associated account information of the previous owner. NETGEAR is aware of this concern and takes the security of our customers seriously.

Additionally, NETGEAR has tested for various scenarios in which unauthorized access to an Arlo video might be possible (including using randomized serial numbers). From the testing we have conducted, NETGEAR has not seen a possible scenario where an unauthenticated user plugs in random serial numbers and has unauthorized access to a video stream.<p>The Arlo camera system is secured by design and has been tested by independent auditors and security researchers. NETGEAR also conducts bug bounty programs to further ensure the security of Arlo customer’s video streams and other NETGEAR products.

Yet people still recoil as if in horror when I try to explain that this is one of the core reasons why gplv3 is so important. Look, we&#x27;ve lost the hardware freedom wars so far, but we still have software, and we can work on improving our hardware side as we progress.<p>One of the Common arguments I hear in response is, &quot;But open source doesnt pay, and therefore doesnt innovate as much.&quot;<p>While the lack of funds coming arent ignorable, innovation is always happening in the foss space, often surpassing the proprietary alternatives, often falling far behind as well. It still gives you the power to control your own systems, which is the freedom you can choose to not give up.<p>The only way you surrender your freedom is voluntarily.

Wow. You know the situation is bad when you are actually better off implementing you own security as a bunch of Arduinos with webcam shields on the LAN and a server with a feature phone in the closet.<p>LOL, just look at this vigilant little bastard :p <a href="http:&#x2F;&#x2F;www.arducam.com&#x2F;arducam-porting-raspberry-pi&#x2F;arducam-pizero-3&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.arducam.com&#x2F;arducam-porting-raspberry-pi&#x2F;arducam-...</a> No one is sneaking up on that without leaving a mugshot.

I can&#x27;t tell but it doesn&#x27;t seem like the OP reset the devices before he returned him. Isn&#x27;t this his or her fault then? Like having nude selfies on a phone and returning it without wiping the phone to factory defaults?

fwiw I recently started using the Samsung network camera sold by Costco (SNH-V6414BN), after various homebrew and RPi solutions over the years. It has an on-camera password that is set as part of the WiFi pairing process so is not open to this kind of attack. This password is separate from the cloud account credentials, so provided you don&#x27;t ask the web site or mobile app to retain it (optional), without that password the camera content can&#x27;t be accessed remotely (of course the firmware could be compromised and I don&#x27;t know if the password is adequately protected from eavesedropping).

Holy shit. Never buying off the shelf consumer grade security equipment now.

Sounds like the security part is sorely lacking. That and someone needs to get a life.