
Bought and returned set of WiFi home security cameras; can now watch new owner - tshtf
https://www.reddit.com/r/privacy/comments/4ortwb/i_bought_and_returned_a_set_of_wifi_connected/
======
mmaunder
If something like this happens to you - where you gain unauthorized access
inadvertently to something - I'd be careful. Under the CFAA you can be charged
criminally and the penalties are severe.

So for example, if the OP was to casually drop a few photos the camera took
and a badly worded warning in their mailbox trying to help, the 'victim' could
report it to the police and an inexperienced DA might try to bag their first
cyber prosecution.

I'd definitely not contact the customer. Contact the vendor instead with an
email and immediately remove your own access to the system. That way you have
it on record (the email) and mention in the email you immediately revoked your
own access.

The CFAA is a blunt and clumsy instrument that tends to injure bystanders.

Here's an extract from the CFAA:

 _Whoever having knowingly accessed a computer without authorization or
exceeding authorized access, and by means of such conduct having obtained
information that has been determined by the United States Government pursuant
to an Executive order or statute to require protection against unauthorized
disclosure for reasons of national defense or foreign relations, or any
restricted data, as defined in paragraph y. of section 11 of the Atomic Energy
Act of 1954, with reason to believe that such information so obtained could be
used to the injury of the United States, or to the advantage of any foreign
nation willfully communicates, delivers, transmits, or causes to be
communicated, delivered, or transmitted, or attempts to communicate, deliver,
transmit or cause to be communicated, delivered, or transmitted the same to
any person not entitled to receive it, or willfully retains the same and fails
to deliver it to the officer or employee of the United States entitled to
receive it;_

[https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act](https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act)

~~~
brink
> The CFAA is a blunt and clumsy instrument that tends to injure bystanders.

I feel you. It's because of 1984's CFAA law that I was thrown in jail with a
felony charge for rick-rolling my school.

~~~
felipellrocha
Uuuuh. Could you add more details to this story?

~~~
brink
Long story short - used a rainbow table against the Windows XP SAM file to get
the password that they used globally - including the login credentials for
modifying the content in their CMS for their website. As a joke, we threw Rick
Astley up on the main page. The next day, they brought the site down, scoured
the logs for my IP address and pressed felony charges against me (Made
possible by the CFAA). It's all good now though, after a lot of explaining the
judge eventually dropped the case.

~~~
ceejayoz
Sending someone a link that turns out to go to Rick Astley is rick-rolling.
Cracking a password, accessing a CMS, and defacing a site is _slightly_ more
than just "rick-rolling my school".

Yes, it probably should have resulted in a suspension, not a felony charge.
No, it's not as benign as you implied.

~~~
rangibaby
> No, it's not as benign as you implied.

Yes it is. He didn't hurt anyone or even mess with their files in a naughty
way. I was so happy to get away from school and this kind of bullshit.

~~~
MBCook
He purposely went out of his way to crack a password for the purpose of
gaining unauthorized access to a system that wasn't his.

That's exactly the kind of thing the CFAA was created for.

I agree with the GP that he was harmless, and doesn't deserve anything
terribly serious as punishment. But what he did is a lot more than using
simple HTML injection to add a rick roll to something.

~~~
zaroth
It sounds like what he did had exactly the same effect as "using simple HTML
injection to add a rick roll to something".

'But he achieved it using leet hacker skills' should not be a factor in
determining the nature of the charge or potential sentence. That's along the
lines of making a big deal out of someone using a "Subversion" system to
access and maintain code.

~~~
MBCook
By "using simple HTML injection" I'm thinking of a form where they don't
sanitize input so you could put a <video> tag in the 'name' field and suddenly
the video would appear on the page.

Getting access to the administrator account is pretty different.

~~~
nitrogen
Not for a high school student. School networks tend to be very insecure, and
the students tend to see them as just another resource in their education.

------
matt_wulfeck
These types of exceeding invasive products need to have their damages tested
in courts. After a few lawsuits and payouts the liabilty will begin to
increase and that will force companies to adapt/improve or go under.

The problem is our entire generation doesn't care about privacy. They
willingly hand over everything about them to an app and care not a single drop
that their government spies on them without a warrant.

~~~
_red
Recently I thought that it would be cool if I bought a bathroom scale that
would sync with my iPhone so I could keep tabs on my exercise effects.

I bought a clever looking one and took it home and was dismayed to find out
the only to get it to sync was to create a "cloud account" which would
supposedly allow me to "check my progress from anywhere".

I returned that one to the store and bought another - same requirement: Cloud
account needed to activate. Took that back. Decided it was easier to just type
the number into my phone.

Its hard for me to understand how there are so many people oblivious / ok with
the constant surveillance that goes on in their lives.

~~~
dreamcompiler
One motivation for this from the vendor's point of view is that a cloud
account means no NAT headaches=fewer customer service calls. I know, you don't
need to talk to your scale when you're not home, but even setting up LAN-only
access is beyond most civilians.

------
Mister_Snuggles
I have a handful of D-Link cameras, and plan to buy more.

D-Link offers some sort of cloud service, but I've never used it. I keep the
cameras segregated onto a separate Wifi network that can't access the
internet, and they work just fine in that configuration. The cameras have
built-in HTTP servers and present what they see as an MJPEG stream. I use
'motion' running on a machine to handle motion detection, recording, etc. I
use a VPN server to handle my remote access needs.

I get everything that the cloud stuff offers, but all hosted locally.

What's described in the article scares me, which is why I've set things up the
way I have. Even if the cameras were used (they weren't) and tied to someone
else's account, they can't send anything back to the cloud service.

~~~
tylervigen
If it's hosted locally, what stops an intruder from stealing or destroying
your server once they break in?

~~~
tmptmp
Locally doesn't mean it has to be stored on the same physical premise thus
physical access to cameras does not necessarily mean physical access to
storage machines/devices. Great work GP, congrats for taking extra steps.

Is there any open-source/documentation that is accessible to more people (not
just network experts) on how to do this kind of setup?

~~~
Mister_Snuggles
There are really three separate problems that need to be solved:

* Remote access to your home network

* Recording and storage of video, possibly with motion detection and alerting.

* Remote storage of video/events (optional).

Each problem is "sort of" solved:

Most routers have some kind of VPN server built in. My Asus router supports
PPTP, which isn't very secure, out of the box. I think some routers are
starting to support OpenVPN, but without some easy wizard to set it up and
distribute the profiles and certificates it would probably be beyond the
average user.

A lot of NAS devices come with software to record from IP cameras. My QNAP has
it, but I have no idea how good it is as I've never tried it. I know that to
use more than two cameras they want you to buy extra licenses.

A lot of NAS devices can also sync folders up to various cloud storage
providers. This could solve the optional remote storage requirement.

As for making it all work together, that's another story. I'm not aware of any
kind of easy to follow HOWTO for a user who's goal is "access my cameras
remotely without sending everything to the cloud".

------
louprado
"I'm not mistaken, anyone could get the serial number off your cameras and
link them to their online account, to watch and record your every move without
your permission."

There's a name for a hacking strategy where you mass purchase products, modify
it or acquire relevant information, then resell them or return them. "Catch
and release" comes to mind, but I can't find any references.

~~~
kordless
You can also do this with PG&E accounts. Based on my conversations with them
about it, it appears to be a feature.

------
userbinator
_I set up an online account_

The title is missing an important fact: these are not traditional network
cameras, they're ones that apparently stream video into the cloud.

Those cameras that do not "phone home" to a cloud service don't have this
problem; the ones that you can set up with a username/password and then
connect directly to from the network. Ironically it's the cheap no-name ones
that usually work like this, as the company just sells the hardware and isn't
one to bother with their own set of servers/accounts/etc.

IMHO these cameras that do rely on a third-party service are to be avoided,
since what happens to that service is completely out of your control.

~~~
cookiecaper
The cameras you're discussing are not very safe for the layman either; you
wanna be sure you have a properly-configured perimeter firewall before you use
them and that they don't open any ports with UPnP. A cursory glance at shodan
will reveal many such cameras that are happily streaming their images out to
the open internet.

~~~
digi_owl
Upnp in its intial form, getting media devices to talk to each other and
exchange data, was fine. But how the heck did it end up being about punching
holes in firewalls?!

------
RickS
HN readers: Do you think the engineers knew?

I ask because I've worked on various products, and single units change hands
between engineers _constantly_. Phones for testing, accounts with shared dev
passwords, the actual hardware, all kinds of test units get spun up and passed
around, even on crappy products where the engineers' imaginations are the only
QA.

Surely one engineer set up a camera, passed it along to another engineer, who
set up the camera and encountered this error?

There are lots of classes of error that can hide in a product, but this feels
like one that it's nearly impossible not to hit.

~~~
acgourley
If it's really as simple as knowing a serial number to get access to a camera
then yes I'm sure an engineer conjured this corner cases in their head.

~~~
jchendy
Probably some PM told them to ignore it so the product could ship on time.

~~~
dawnerd
Probably still an "issue" in their project tracker just waiting... one day...
as it gets pushed further and further down the list of tasks.

------
jedberg
Props to Dropcam/Nest for solving this problem.

My brother gave me his Dropcam after setting it up for himself, and I had to
prove my identity _and_ he had to prove his to get them to move the camera to
my account. It was a hassle at the time, but I was glad to know that they at
least had decent security.

~~~
yuhong
I reported 768-bit DHE on one of Nest's servers to Google security around
mid-2015. Do anyone remember the tweets by @NestSupport on Twitter around this
time (there was also
[https://bugzilla.mozilla.org/show_bug.cgi?id=1170833](https://bugzilla.mozilla.org/show_bug.cgi?id=1170833))?
It wasn't long after that they had to hire a VP of security (when Alphabet was
formed I think).

~~~
yuhong
Here is some of the old tweets actually:

[https://twitter.com/nestsupport/status/606246459822997505](https://twitter.com/nestsupport/status/606246459822997505)

[https://twitter.com/nestsupport/status/604682180242108416](https://twitter.com/nestsupport/status/604682180242108416)

[https://twitter.com/nestsupport/status/604714262834069505](https://twitter.com/nestsupport/status/604714262834069505)

[https://twitter.com/nestsupport/status/604718648595333121](https://twitter.com/nestsupport/status/604718648595333121)

(Notice that they eventually posted a clear screenshot showing the problem and
there was still not much of a response)

I still have the old emails from Google Security in my mailbox. June 2, 2015
was when I received the first "received" email. June 3, 2015 is when I
received the "triaged" email. June 4, 2015 is when I received the "filed a
bug" email. You can see from the Bugzilla bug that it was fixed by June 5,
2015.

~~~
seanp2k2
Nest really went down hard after the acquisition. They were a company who
built a cool thermostat. That is all. Everyone who didn't work on engineering
the thermostat seems incompetent, especially management. The UI which took
them like a year to do once they bought Dropcam is much worse than the old
Dropcam site. They never came through for Dropcam Pro buyers who they promised
1080p recording to (the hardware can do it, but they never made fixing it any
kind of priority). They then go and slap those users and early adopters in the
face by releasing the Nest cam with the same hardware with 1080p enabled.

The connected smoke detector is useless, since it's only useful in
emergencies, and an app-connected thing which runs complex firmware is the
absolute last thing I'd trust to save my life. There's a reason why sprinkler
heads to put out fires are dead simple.

They did nothing with an unlimited budget for 2 years:
[http://arstechnica.com/gadgets/2016/06/nests-time-at-
alphabe...](http://arstechnica.com/gadgets/2016/06/nests-time-at-alphabet-a-
virtually-unlimited-budget-with-no-results/)

------
JChase2
I've tried finding a camera that has a server that can encrypt traffic, and I
can't. It'd be nice to have access from outside of my network but I don't
trust it. It really took me by surprise how bad at security these things are.
I guess I could set up some kind of vpn but I assumed when I bought it I could
enable ssl or something.

~~~
Retr0spectrum
Possibly overkill, but you could set up some kind of home VPN to remote in
securely.

~~~
tener
This is probably the _only_ way to be sure about security in this scenario.

------
markbnj
Systems that provide an online account tied to a physical device have to be
carefully designed for transfer of ownership scenarios, and it sounds like
they didn't do the work here, or else something went wrong and the resulting
error state is unfortunate.

~~~
digi_owl
Frankly i suspect the devs never even contemplated a transfer of ownership
scenario. The whole idea seems more and more foreign, or perhaps quaint, to
the people involved in tech these days. tech is treated as something
disposable, not something durable to transfer from person to person.

------
nateguchi
You can more than likely pick up the serial through the web-admin panel that
these cameras expose on the local network.

God forbid they have a wireless AP with the serial number somehow encoded in
the SSID.

How is it that these companies still don't give security a passing concern?

~~~
digi_owl
> How is it that these companies still don't give security a passing concern?

Lack of lawsuits. The kind that bankrupt companies and set binding precedents
for everyone else.

------
geofffox
I had the same problem with a WD home server. I returned it when it wouldn't
do what it was supposed to do. Later, I started receiving emails from the
server as it kept me up-to-date on its status.

------
walrus01
[https://twitter.com/internetofshit?lang=en](https://twitter.com/internetofshit?lang=en)

------
Aelinsaar
Until people start demanding security, and become willing to pay for it, the
IoT is going to be positively defined by this kind of nonsense. That, or some
kind of legislative action I guess, but that seems like pure fantasy.

~~~
matt_wulfeck
That's like saying "until people start demanding safety on cars and become
willing to pay for it there will always be fatalities". Sure part of the blame
is on the consumer, but maybe the company shouldn't be selling cameras that
are inherently insecure.

These types of things typically play out with lawsuits which increase
liability for the producers. The problem is that it's (currently) difficult to
prove damages when it's only privacy.

~~~
dexterdog
For most consumers security is a barrier to usability and we all know which
one is more important to the product team.

------
mtkd
I guess the devops team can view all of them

~~~
jessaustin
...I guess they've curated a set of good-looking and sometimes-not-completely-
dressed camera users whom they view more often than the rest of their
customers.

------
nxzero
Seen this same method applied to used equipment for sale, especially if it was
stolen.

Basically, someone steals a laptop, wipes it, reinstalls the OS with
backdoors, sells the laptop for cash, exploits backdoor access to own other
devices, exploits owned devices, etc.

~~~
gist
Take it one step further. Someone has a target that they are trying to acquire
(company website access). So they run a fake contest where the prize is a
laptop. The laptop that they ship to the "winner" is backdoored as you have
described.

~~~
nxzero
Right, hacker might even target a website that's known to be visited by the
targets, hack it, use it for drive by downloads attacks - and use the contest
win a backdoored device (laptop,iPad,drive,etc) to cherry pick any targets
that have not been compromised.

------
wepple
this is a general class of problems that is only going to get bigger.

When I returned my lease car I had to have a bit of a think about what might
be sync'd from my phone via bluetooth with it, and what functionality existed
to erase that. The answers didn't make me feel great.

The fun pastime of buying old HDD's off ebay and carving deleted files off
them to see what might be kicking about is going to get a whole lot more
interested with everything-connected society moving forward.

------
takeda
What's with the "cloud" security systems? Why don't they just provide hardware
where you store the information locally?

Ignoring the privacy implications mentioned here, and that you esentially pay
monthly/yearly for storage, if your ISP has an outage your security system is
becoming useless. It also is a weak point for smarter thieves (just make sure
that Internet access is cut).

------
NETGEAR
NETGEAR has previously informed our resellers that retailers are not to resell
cameras which have been returned. The Arlo camera system in this instance was
resold without our authorization. When setting up a previously owned camera it
is advised that all Arlo cameras be reset from the original base station,
which will clear connection with any previously existing account. The
configuration for the camera needs to be cleared as the settings may contain
associated account information of the previous owner. NETGEAR is aware of this
concern and takes the security of our customers seriously.

------
NETGEAR
Additionally, NETGEAR has tested for various scenarios in which unauthorized
access to an Arlo video might be possible (including using randomized serial
numbers). From the testing we have conducted, NETGEAR has not seen a possible
scenario where an unauthenticated user plugs in random serial numbers and has
unauthorized access to a video stream.

The Arlo camera system is secured by design and has been tested by independent
auditors and security researchers. NETGEAR also conducts bug bounty programs
to further ensure the security of Arlo customer’s video streams and other
NETGEAR products.

------
arca_vorago
Yet people still recoil as if in horror when I try to explain that this is one
of the core reasons why gplv3 is so important. Look, we've lost the hardware
freedom wars so far, but we still have software, and we can work on improving
our hardware side as we progress.

One of the Common arguments I hear in response is, "But open source doesnt
pay, and therefore doesnt innovate as much."

While the lack of funds coming arent ignorable, innovation is always happening
in the foss space, often surpassing the proprietary alternatives, often
falling far behind as well. It still gives you the power to control your own
systems, which is the freedom you can choose to not give up.

The only way you surrender your freedom is voluntarily.

------
happyslobro
Wow. You know the situation is bad when you are actually better off
implementing you own security as a bunch of Arduinos with webcam shields on
the LAN and a server with a feature phone in the closet.

LOL, just look at this vigilant little bastard :p
[http://www.arducam.com/arducam-porting-raspberry-
pi/arducam-...](http://www.arducam.com/arducam-porting-raspberry-pi/arducam-
pizero-3/) No one is sneaking up on that without leaving a mugshot.

~~~
voltagex_
Yep, but what does the average consumer do?

------
reiichiroh
I can't tell but it doesn't seem like the OP reset the devices before he
returned him. Isn't this his or her fault then? Like having nude selfies on a
phone and returning it without wiping the phone to factory defaults?

------
dboreham
fwiw I recently started using the Samsung network camera sold by Costco
(SNH-V6414BN), after various homebrew and RPi solutions over the years. It has
an on-camera password that is set as part of the WiFi pairing process so is
not open to this kind of attack. This password is separate from the cloud
account credentials, so provided you don't ask the web site or mobile app to
retain it (optional), without that password the camera content can't be
accessed remotely (of course the firmware could be compromised and I don't
know if the password is adequately protected from eavesedropping).

------
andrewclunn
Holy shit. Never buying off the shelf consumer grade security equipment now.

------
hackney
Sounds like the security part is sorely lacking. That and someone needs to get
a life.

