If something like this happens to you - where you gain unauthorized access inadvertently to something - I'd be careful. Under the CFAA you can be charged criminally and the penalties are severe.
So for example, if the OP was to casually drop a few photos the camera took and a badly worded warning in their mailbox trying to help, the 'victim' could report it to the police and an inexperienced DA might try to bag their first cyber prosecution.
I'd definitely not contact the customer. Contact the vendor instead with an email and immediately remove your own access to the system. That way you have it on record (the email) and mention in the email you immediately revoked your own access.
The CFAA is a blunt and clumsy instrument that tends to injure bystanders.
Here's an extract from the CFAA:
Whoever having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
If a cloud provider mistakenly provides access to someone else's content, the end-user has not violated the CFAA. I have not heard of anyone charged for this alone. Not to mention, I'm not sure CFAA protects private computers / webcams in any case, only "protected computers".
Additionally, I'm not sure if this would be a violation of the Wiretap Act as an "interception" either, even if it was intentionally used to spy on the new owner of the device. Federal law is somewhat lacking in this regard.
Not that I'm arguing for criminal charges, but if you exploit an oversight in the design of a webcam to take pictures of someone else's house, you aren't a "bystander."
That;s the wrong part of the CFAA. I doubt the CFAA even applies.
>..accessed a computer without authorization... AND having obtained information .... determined ... to require protection against ... disclosure for reasons of national defense ... [AND]... willfully communicates ... to any person not entitled to receive it...
Unless in the control room of a nuclear power plant, that part doesn't criminalize taking a pic via someone else's webcam.
These types of exceeding invasive products need to have their damages tested in courts. After a few lawsuits and payouts the liabilty will begin to increase and that will force companies to adapt/improve or go under.
The problem is our entire generation doesn't care about privacy. They willingly hand over everything about them to an app and care not a single drop that their government spies on them without a warrant.
> The problem is our entire generation doesn't care about privacy.
Yup -- law follows culture, not the other way around. IMHO this (cultural priorities) is at the root of other ills too, e.g. educational system and criminal justice system brokenness. I think most people genuinely do want the right thing but just aren't aware of the long-term consequences of the current approach.
Recently I thought that it would be cool if I bought a bathroom scale that would sync with my iPhone so I could keep tabs on my exercise effects.
I bought a clever looking one and took it home and was dismayed to find out the only to get it to sync was to create a "cloud account" which would supposedly allow me to "check my progress from anywhere".
I returned that one to the store and bought another - same requirement: Cloud account needed to activate. Took that back. Decided it was easier to just type the number into my phone.
Its hard for me to understand how there are so many people oblivious / ok with the constant surveillance that goes on in their lives.
Security and privacy awareness are not wholly absent, and awareness, including among the young, can be high. The awareness is, however, highly uneven, and is quite problematic especially in how it's reflected among commercial enterprises and law.
As I've been saying for quite some time: Data are liability.
Its not so much that it does not care, but that it has trouble converting a physical concept (close the door and you are in a private place) to the digital realm.
I have a handful of D-Link cameras, and plan to buy more.
D-Link offers some sort of cloud service, but I've never used it. I keep the cameras segregated onto a separate Wifi network that can't access the internet, and they work just fine in that configuration. The cameras have built-in HTTP servers and present what they see as an MJPEG stream. I use 'motion' running on a machine to handle motion detection, recording, etc. I use a VPN server to handle my remote access needs.
I get everything that the cloud stuff offers, but all hosted locally.
What's described in the article scares me, which is why I've set things up the way I have. Even if the cameras were used (they weren't) and tied to someone else's account, they can't send anything back to the cloud service.
"I'm not mistaken, anyone could get the serial number off your cameras and link them to their online account, to watch and record your every move without your permission."
There's a name for a hacking strategy where you mass purchase products, modify it or acquire relevant information, then resell them or return them. "Catch and release" comes to mind, but I can't find any references.
The title is missing an important fact: these are not traditional network cameras, they're ones that apparently stream video into the cloud.
Those cameras that do not "phone home" to a cloud service don't have this problem; the ones that you can set up with a username/password and then connect directly to from the network. Ironically it's the cheap no-name ones that usually work like this, as the company just sells the hardware and isn't one to bother with their own set of servers/accounts/etc.
IMHO these cameras that do rely on a third-party service are to be avoided, since what happens to that service is completely out of your control.
The cameras you're discussing are not very safe for the layman either; you wanna be sure you have a properly-configured perimeter firewall before you use them and that they don't open any ports with UPnP. A cursory glance at shodan will reveal many such cameras that are happily streaming their images out to the open internet.
I ask because I've worked on various products, and single units change hands between engineers constantly. Phones for testing, accounts with shared dev passwords, the actual hardware, all kinds of test units get spun up and passed around, even on crappy products where the engineers' imaginations are the only QA.
Surely one engineer set up a camera, passed it along to another engineer, who set up the camera and encountered this error?
There are lots of classes of error that can hide in a product, but this feels like one that it's nearly impossible not to hit.
My brother gave me his Dropcam after setting it up for himself, and I had to prove my identity and he had to prove his to get them to move the camera to my account. It was a hassle at the time, but I was glad to know that they at least had decent security.
I reported 768-bit DHE on one of Nest's servers to Google security around mid-2015. Do anyone remember the tweets by @NestSupport on Twitter around this time (there was also https://bugzilla.mozilla.org/show_bug.cgi?id=1170833)? It wasn't long after that they had to hire a VP of security (when Alphabet was formed I think).
I've tried finding a camera that has a server that can encrypt traffic, and I can't. It'd be nice to have access from outside of my network but I don't trust it. It really took me by surprise how bad at security these things are. I guess I could set up some kind of vpn but I assumed when I bought it I could enable ssl or something.
Put IP cameras in their own VLAN on a network that also contains network DVR software. Access it via VPN tunnel and/or https. For unauthorized access to an individual camera somebody would need to be on the same layer 2 broadcast domain as the camera, local on site. Following that principle, if an adversary has physical access to a device it's likely pwned anyways.
Systems that provide an online account tied to a physical device have to be carefully designed for transfer of ownership scenarios, and it sounds like they didn't do the work here, or else something went wrong and the resulting error state is unfortunate.
Frankly i suspect the devs never even contemplated a transfer of ownership scenario. The whole idea seems more and more foreign, or perhaps quaint, to the people involved in tech these days. tech is treated as something disposable, not something durable to transfer from person to person.
I had the same problem with a WD home server. I returned it when it wouldn't do what it was supposed to do. Later, I started receiving emails from the server as it kept me up-to-date on its status.
Until people start demanding security, and become willing to pay for it, the IoT is going to be positively defined by this kind of nonsense. That, or some kind of legislative action I guess, but that seems like pure fantasy.
That's like saying "until people start demanding safety on cars and become willing to pay for it there will always be fatalities". Sure part of the blame is on the consumer, but maybe the company shouldn't be selling cameras that are inherently insecure.
These types of things typically play out with lawsuits which increase liability for the producers. The problem is that it's (currently) difficult to prove damages when it's only privacy.
...I guess they've curated a set of good-looking and sometimes-not-completely-dressed camera users whom they view more often than the rest of their customers.
Seen this same method applied to used equipment for sale, especially if it was stolen.
Basically, someone steals a laptop, wipes it, reinstalls the OS with backdoors, sells the laptop for cash, exploits backdoor access to own other devices, exploits owned devices, etc.
Take it one step further. Someone has a target that they are trying to acquire (company website access). So they run a fake contest where the prize is a laptop. The laptop that they ship to the "winner" is backdoored as you have described.
this is a general class of problems that is only going to get bigger.
When I returned my lease car I had to have a bit of a think about what might be sync'd from my phone via bluetooth with it, and what functionality existed to erase that. The answers didn't make me feel great.
The fun pastime of buying old HDD's off ebay and carving deleted files off them to see what might be kicking about is going to get a whole lot more interested with everything-connected society moving forward.
What's with the "cloud" security systems? Why don't they just provide hardware where you store the information locally?
Ignoring the privacy implications mentioned here, and that you esentially pay monthly/yearly for storage, if your ISP has an outage your security system is becoming useless. It also is a weak point for smarter thieves (just make sure that Internet access is cut).
NETGEAR has previously informed our resellers that retailers are not to resell cameras which have been returned. The Arlo camera system in this instance was resold without our authorization. When setting up a previously owned camera it is advised that all Arlo cameras be reset from the original base station, which will clear connection with any previously existing account. The configuration for the camera needs to be cleared as the settings may contain associated account information of the previous owner. NETGEAR is aware of this concern and takes the security of our customers seriously.
Additionally, NETGEAR has tested for various scenarios in which unauthorized access to an Arlo video might be possible (including using randomized serial numbers). From the testing we have conducted, NETGEAR has not seen a possible scenario where an unauthenticated user plugs in random serial numbers and has unauthorized access to a video stream.
The Arlo camera system is secured by design and has been tested by independent auditors and security researchers. NETGEAR also conducts bug bounty programs to further ensure the security of Arlo customer’s video streams and other NETGEAR products.
Yet people still recoil as if in horror when I try to explain that this is one of the core reasons why gplv3 is so important. Look, we've lost the hardware freedom wars so far, but we still have software, and we can work on improving our hardware side as we progress.
One of the Common arguments I hear in response is, "But open source doesnt pay, and therefore doesnt innovate as much."
While the lack of funds coming arent ignorable, innovation is always happening in the foss space, often surpassing the proprietary alternatives, often falling far behind as well. It still gives you the power to control your own systems, which is the freedom you can choose to not give up.
The only way you surrender your freedom is voluntarily.
[+] [-] mmaunder|9 years ago|reply
So for example, if the OP was to casually drop a few photos the camera took and a badly worded warning in their mailbox trying to help, the 'victim' could report it to the police and an inexperienced DA might try to bag their first cyber prosecution.
I'd definitely not contact the customer. Contact the vendor instead with an email and immediately remove your own access to the system. That way you have it on record (the email) and mention in the email you immediately revoked your own access.
The CFAA is a blunt and clumsy instrument that tends to injure bystanders.
Here's an extract from the CFAA:
Whoever having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
[+] [-] brink|9 years ago|reply
I feel you. It's because of 1984's CFAA law that I was thrown in jail with a felony charge for rick-rolling my school.
[+] [-] zaroth|9 years ago|reply
Additionally, I'm not sure if this would be a violation of the Wiretap Act as an "interception" either, even if it was intentionally used to spy on the new owner of the device. Federal law is somewhat lacking in this regard.
[+] [-] tptacek|9 years ago|reply
[+] [-] sandworm101|9 years ago|reply
>..accessed a computer without authorization... AND having obtained information .... determined ... to require protection against ... disclosure for reasons of national defense ... [AND]... willfully communicates ... to any person not entitled to receive it...
Unless in the control room of a nuclear power plant, that part doesn't criminalize taking a pic via someone else's webcam.
[+] [-] matt_wulfeck|9 years ago|reply
The problem is our entire generation doesn't care about privacy. They willingly hand over everything about them to an app and care not a single drop that their government spies on them without a warrant.
[+] [-] cfallin|9 years ago|reply
Yup -- law follows culture, not the other way around. IMHO this (cultural priorities) is at the root of other ills too, e.g. educational system and criminal justice system brokenness. I think most people genuinely do want the right thing but just aren't aware of the long-term consequences of the current approach.
[+] [-] _red|9 years ago|reply
I bought a clever looking one and took it home and was dismayed to find out the only to get it to sync was to create a "cloud account" which would supposedly allow me to "check my progress from anywhere".
I returned that one to the store and bought another - same requirement: Cloud account needed to activate. Took that back. Decided it was easier to just type the number into my phone.
Its hard for me to understand how there are so many people oblivious / ok with the constant surveillance that goes on in their lives.
[+] [-] dredmorbius|9 years ago|reply
As I've been saying for quite some time: Data are liability.
This is simply the home-security edition.
[+] [-] digi_owl|9 years ago|reply
[+] [-] stephengillie|9 years ago|reply
[+] [-] Mister_Snuggles|9 years ago|reply
D-Link offers some sort of cloud service, but I've never used it. I keep the cameras segregated onto a separate Wifi network that can't access the internet, and they work just fine in that configuration. The cameras have built-in HTTP servers and present what they see as an MJPEG stream. I use 'motion' running on a machine to handle motion detection, recording, etc. I use a VPN server to handle my remote access needs.
I get everything that the cloud stuff offers, but all hosted locally.
What's described in the article scares me, which is why I've set things up the way I have. Even if the cameras were used (they weren't) and tied to someone else's account, they can't send anything back to the cloud service.
[+] [-] tylervigen|9 years ago|reply
[+] [-] louprado|9 years ago|reply
There's a name for a hacking strategy where you mass purchase products, modify it or acquire relevant information, then resell them or return them. "Catch and release" comes to mind, but I can't find any references.
[+] [-] kordless|9 years ago|reply
[+] [-] userbinator|9 years ago|reply
The title is missing an important fact: these are not traditional network cameras, they're ones that apparently stream video into the cloud.
Those cameras that do not "phone home" to a cloud service don't have this problem; the ones that you can set up with a username/password and then connect directly to from the network. Ironically it's the cheap no-name ones that usually work like this, as the company just sells the hardware and isn't one to bother with their own set of servers/accounts/etc.
IMHO these cameras that do rely on a third-party service are to be avoided, since what happens to that service is completely out of your control.
[+] [-] digi_owl|9 years ago|reply
Buzzwords combined with profit motive produce some worrying outcomes.
[+] [-] cookiecaper|9 years ago|reply
[+] [-] chiph|9 years ago|reply
[+] [-] RickS|9 years ago|reply
I ask because I've worked on various products, and single units change hands between engineers constantly. Phones for testing, accounts with shared dev passwords, the actual hardware, all kinds of test units get spun up and passed around, even on crappy products where the engineers' imaginations are the only QA.
Surely one engineer set up a camera, passed it along to another engineer, who set up the camera and encountered this error?
There are lots of classes of error that can hide in a product, but this feels like one that it's nearly impossible not to hit.
[+] [-] acgourley|9 years ago|reply
[+] [-] jedberg|9 years ago|reply
My brother gave me his Dropcam after setting it up for himself, and I had to prove my identity and he had to prove his to get them to move the camera to my account. It was a hassle at the time, but I was glad to know that they at least had decent security.
[+] [-] yuhong|9 years ago|reply
[+] [-] JChase2|9 years ago|reply
[+] [-] Retr0spectrum|9 years ago|reply
[+] [-] walrus01|9 years ago|reply
[+] [-] m_eiman|9 years ago|reply
[+] [-] markbnj|9 years ago|reply
[+] [-] digi_owl|9 years ago|reply
[+] [-] nateguchi|9 years ago|reply
God forbid they have a wireless AP with the serial number somehow encoded in the SSID.
How is it that these companies still don't give security a passing concern?
[+] [-] digi_owl|9 years ago|reply
Lack of lawsuits. The kind that bankrupt companies and set binding precedents for everyone else.
[+] [-] mtgx|9 years ago|reply
[+] [-] geofffox|9 years ago|reply
[+] [-] walrus01|9 years ago|reply
[+] [-] Aelinsaar|9 years ago|reply
[+] [-] matt_wulfeck|9 years ago|reply
These types of things typically play out with lawsuits which increase liability for the producers. The problem is that it's (currently) difficult to prove damages when it's only privacy.
[+] [-] crdoconnor|9 years ago|reply
* Pushing common actions in a standardized way (e.g. turn on light, flip channel on TV, raise thermostat to 28 degrees).
* Sending / receiving streams of data via UDP.
* Service registration / discovery & authentication.
* Encryption.
* Upgrading firmware.
And which has a diverse set of servers which can talk these protocols.
[+] [-] nateguchi|9 years ago|reply
[+] [-] mtkd|9 years ago|reply
[+] [-] jessaustin|9 years ago|reply
[+] [-] nxzero|9 years ago|reply
Basically, someone steals a laptop, wipes it, reinstalls the OS with backdoors, sells the laptop for cash, exploits backdoor access to own other devices, exploits owned devices, etc.
[+] [-] gist|9 years ago|reply
[+] [-] wepple|9 years ago|reply
When I returned my lease car I had to have a bit of a think about what might be sync'd from my phone via bluetooth with it, and what functionality existed to erase that. The answers didn't make me feel great.
The fun pastime of buying old HDD's off ebay and carving deleted files off them to see what might be kicking about is going to get a whole lot more interested with everything-connected society moving forward.
[+] [-] takeda|9 years ago|reply
Ignoring the privacy implications mentioned here, and that you esentially pay monthly/yearly for storage, if your ISP has an outage your security system is becoming useless. It also is a weak point for smarter thieves (just make sure that Internet access is cut).
[+] [-] NETGEAR|9 years ago|reply
[+] [-] NETGEAR|9 years ago|reply
The Arlo camera system is secured by design and has been tested by independent auditors and security researchers. NETGEAR also conducts bug bounty programs to further ensure the security of Arlo customer’s video streams and other NETGEAR products.
[+] [-] arca_vorago|9 years ago|reply
One of the Common arguments I hear in response is, "But open source doesnt pay, and therefore doesnt innovate as much."
While the lack of funds coming arent ignorable, innovation is always happening in the foss space, often surpassing the proprietary alternatives, often falling far behind as well. It still gives you the power to control your own systems, which is the freedom you can choose to not give up.
The only way you surrender your freedom is voluntarily.
[+] [-] unknown|9 years ago|reply
[deleted]