Two high-severity vulnerabilities in Arlo Technologies’ wireless home security camera gear have been patched. The flaws, which indirectly impact Arlo’s popular fleet of wireless home security cameras, are limited to adversaries with local network and physical access to Arlo Base Stations.
Both vulnerabilities were publicly disclosed Monday by Arlo Technologies and Tenable, the security firm that found the bugs. Impacted are Arlo Base Station models VMB3010, VMB4000, VMB3500, VMB4500 and VMB5000. The bugs could ultimately lead to an adversary taking complete control of affected base station models and eventually any connected cameras. Arlo Technologies is a spin off from networking firm Netgear, as of January 2019.
One of the vulnerabilities (CVE-2019-3949) is described as an insufficient universal asynchronous receiver-transmitter (UART) protection mechanisms bug. Simply put, UART is a type of digital communications between two devices found on integrated circuits or a component.
“If someone has physical access to an Arlo base station, they can connect to the UART port using a serial connection. After making the connection, an attacker can gain access to sensitive information,” according to an Arlo security advisory.
According to Jimi Sebree, senior research engineer at Tenable and the researcher who found the bugs, access via the UART port is tied to default credentials (“ngroot” / “ngbase”) used by the base station.
“With physical access, connecting to the serial port is relatively trivial as it immediately drops the user to a login prompt. While the UART credentials (UART_username and UART_passwd) are encrypted in the nvram entries, the encryption key is hardcoded on the device via the PASS_ENC (GEARNET) environment variable (which is cleared after the initial boot and nvram encryption),” he wrote in a technical breakdown of the bug.
The second flaw (CVE-2019-3950) is a networking misconfiguration bug in the Arlo Base Station that allows an attacker to control a user’s Arlo camera. The prerequisite for the attack is being connected to the same network as the base station.
“Arlo base stations have two networking interfaces: one for the internal camera network and one for connection to an external LAN, such as a home network. If an attacker is connected to the same LAN as an Arlo base station, they can access the interface used for the internal camera network,” Arlo describes.
Sebree said part of the problem is that the Arlo base station is based on a Netgear consumer routing device that was recycled into the Arlo Base Station without proper review.
“Specify the router as your gateway (or simply add the appropriate route to your host machine) and boom, it forwards traffic between interfaces. In particular, the default http listener deployed by ‘vzdaemon’ contains a ‘passthru’ api endpoint that allows the arbitrary download or upload of files on the device,” he wrote.
For example, simply calling “http://<internal ip of interface>/passthru/tmp/system-log” allows an attacker to download the primary logfile used for the device, Sebree said.
“This passthru api endpoint could allow an attacker to completely take over the device since it allows the arbitrary upload and download of files on the system,” he wrote in a separate breakdown of the bugs on Medium.
Arlo said that updates have been sent to impacted base stations and that “firmware updates are sent to your devices automatically. You do not need to manually update your firmware.”