Homeowners trying to protect their property with surveillance cameras and smart locks may have actually made their households more vulnerable, according to security flaws unveiled by separate teams of researchers Tuesday.
The Netgear Arlo system, which the company says streams more than 100 million videos every day, and certain types of Zipato smart hubs, which can lock or unlock doors, are affected by security flaws detailed in unrelated announcements from Tenable and researchers Chase Dardaman and Jason Wheeler, respectively.
The discoveries again demonstrate how the same technology that promises to make life more convenient and secure also can put consumers at risk.
Patches are available for both vulnerabilities, and hackers would need physical access in both cases to carry out attacks.
The weakness in the Arlo devices could allow malicious outsiders to take control of all the cameras connected to a single hub, at which point they could disable the video feed or manipulate footage, according to Tenable. An attacker could connect to a vulnerable port on the device, login with default credentials and then execute commands from root access, meaning they have high-level privileges.
Default credentials are a problem that have rendered countless connected devices — perhaps most notably web routers — susceptible to hackers who can access data from affected machines or leverage their connections are part of a botnet.
“Honestly, this one of the better IoT devices I’ve looked at in terms of security posture,” he said. “While it isn’t without flaw, the device itself holds up to scrutiny. The biggest downsides here are the internet connection requirements and the submission of all captured data being sent to the Arlo cloud, which is out of your control and unable to be independently researched or evaluated.”
Meanwhile, other security practitioners probed the technology in the ZipaMicro, a smart-home device from Zipato. Researchers told TechCrunch, which first reported on the vulnerabilities Tuesday, they were able to access data from the memory card on the lock, and ultimately infiltrate the device. The two researchers proved they could bypassing authentication controls on the smart locks by leveraging a scrambled password.
Zipato said the issues were fixed by March 20, three weeks after they were first reported, according to Dardaman and Wheeler. The technical details are available in full at BlackMarble.sh.