Arlo Wire-Free WiFi Default Password Security Vulnerability
NETGEAR is aware of an Arlo WiFi default password vulnerability that generates an easily identifiable code that can allow hackers to log into the Arlo base station and capture traffic and images. The vulnerability can occur in the following circumstances:
- When a user performs a factory reset, causing the base station to generate an easily identifiable default passphrase.
- When a user removes the base station from their account using any of the Arlo user interfaces, the website or mobile apps.
This vulnerability affects Arlo Wire-Free base stations that run firmware version 1.7.3_5005 or older. To check your firmware version, log in to your Arlo account and click Settings > About.
NETGEAR plans to release firmware version 1.7.5_6178 by mid-June that will generate a secure unique default passphrase. When the firmware becomes available, Arlo Wire-Free base stations that are online will receive firmware updates automatically.
After the firmware release, NETGEAR strongly recommends that you complete these steps to address the vulnerability:
- Ensure that your Arlo Wire-Free base station software is upgraded to firmware v1.7.5_6178.
- Perform a factory reset to the base station.
Important: You must perform a factory reset correctly for the security update to take effect.
To reset the base station, visit https://community.netgear.com/t5/Arlo-Knowledge-Base/How-can-I-reset-my-Arlo-base-station-to-the-default-values/ta-p/1057976.
- Add the base station back to the account if it was removed.
To add the base station to the account, visit the Make Sure Your Base Station Has Not Been Deactivated and the Add Your Base Station Back to Your System portions of this site: https://community.netgear.com/t5/Arlo-Knowledge-Base/My-camera-will-not-sync-with-the-base-station/ta-p/995.
- Re-sync the Arlo cameras that were removed from the account.
To resync the cameras, visit the Sync your Cameras with the Base Station portion of this site: https://community.netgear.com/t5/Arlo-Knowledge-Base/How-do-I-set-up-and-sync-my-Arlo-Wire-Free-cameras/ta-p/987.
Note: If the recommended steps are not completed as described, the potential for the Arlo WiFi default password vulnerability will remain and hackers might be able to log in to the Arlo base station and capture traffic and images. NETGEAR is not responsible for any consequences that could have been avoided by upgrading the firmware as stated in this notification.
NETGEAR will update this KB article as more information becomes available.
If you have any security concerns, you can reach us at firstname.lastname@example.org.
We appreciate and value having security concerns brought to our attention. NETGEAR constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at NETGEAR.
It is NETGEAR's mission to be the innovative leader in connecting the world to the internet. To achieve this mission, we strive to earn and maintain the trust of those that use NETGEAR products for their connectivity.