Returned Home Security Camera Accidentally Spies On New Buyer
This isn't how security cameras are supposed to work
Be careful buying a repackaged high-end security camera system—the original owner might still be watching.
On Saturday, Jennifer Brown, who runs a small online retail store in central Kentucky with her husband, noticed something that shouldn’t be possible. A few months ago, she had purchased and set up a wireless Netgear Arlo security camera system, which records in high-def, has night vision capabilities, and alerts your account whenever it notices motion. She later decided she wasn’t really using it, so she returned it to the Sam’s Club store where she purchased it and assumed that was the end.
About two months later, she said, she received an email alert from that camera system, which had since been repackaged and resold to a different customer. “I logged into my online account and I can see the new owner, their house, and everything they’re doing,” she wrote on Reddit.
“The set comes with three cameras, three cameras set up in this person’s home,” Brown later told Vocativ by phone. “I couldn’t really make out what the person looked like—the quality’s not that great. There were multiple people, though, and there were children. [It was clear] enough that I could make out the make of his vehicle out front,” she said.
That is, of course, not supposed to be how it works. Instead, the company says, retailers are told not to sell returned cameras without first sending them back to Netgear to be reset. “The Arlo camera system in this instance was resold without our authorization,” Netgear representative Nathan Papadopulos told Vocativ in a statement.
Arlo cameras are widely popular, with more than one million sold worldwide. While returns do happen, there isn’t a clear mechanism in place to enforce the policy that any returned camera needs to be returned to the company to wipe it. “Netgear has previously informed our resellers that retailers are not to resell cameras which have been returned,” Papadopulos said, adding that this is the first time they’ve received a report of a former Arlo owner getting unauthorized access to the feed of the next customer.
Though several redditors expressed a fear that Brown’s discovery meant anyone can simply randomize a Netgear serial number, which is used when users set up access to the video feed, and start creating accounts for random cameras, Papadopulos said the company has independently tested for that possibility, but “has not seen a possible scenario where a random serial number plug-in would provide unauthorized access to a video stream.” He also stated that Netgear maintains a bug bounty program, in which the company pays hackers to report security vulnerabilities to them.
Netgear told Brown they expected to have a solution to the problem within three weeks, she said. Still, she said, she’s shocked that it was ever an issue to begin with.
“I can’t imagine that this is the first time that a camera has been resold as a new item. I can’t imagine they’ve never been told of this situation,” she said.
Brown told Vocativ on Monday that she was still able to view the mystery family’s camera feeds.