Arlo WiFi Default Password Security Vulnerability

Arlo is aware of an Arlo WiFi default password vulnerability that uses an easily identifiable code that can allow hackers to log in to an Arlo camera or base station and capture traffic and images. The vulnerability can occur in the following circumstances:

  • When a user first connects an Arlo base station or an Arlo Q or Arlo Q Plus camera to the Internet and the base station or camera is using an easily identifiable default password.
  • When a user performs a factory reset, causing the base station to generate an easily identifiable default password.
  • When a user removes the base station from their account using any of the Arlo user interfaces, causing the base station to reset to the easily identifiable factory default password.


This vulnerability affects the following Arlo products and firmware versions:

  • Arlo base stations (model numbers VMS3xx0, VMK3xx0, and VMB30x0) running firmware version 1.7.5_ 6178 or older
  • Arlo Q cameras (model number VMC3040) running firmware version 1.8.0_5551 or older
  • Arlo Q Plus cameras (model number VMC3040s) running firmware version 1.8.1_6094 or older

This vulnerability does not affect Arlo Pro systems or Arlo Go cameras.

Arlo released new firmware that fixes all instances of the default password vulnerability. Any Arlo base stations that have been online for at least a day at any time after October 10, 2016, received the new firmware updates automatically. Any Arlo Q or Arlo Q Plus cameras that have been online for at least a day at any time after November 9, 2016, received the new firmware updates automatically. The update is already installed and your Arlo system is now protected from the default password vulnerability. No action is necessary.

If your Arlo base stations and Arlo Q or Arlo Q Plus cameras are currently online but you want to verify that they are protected from the Arlo WiFi default password vulnerability, follow these steps.

To verify that your Arlo base station is protected from the Arlo WiFi default password vulnerability:

  1. Launch the Arlo app or log in to your Arlo account on the web portal.
  2. Tap or click Settings > My Devices and select the base station whose firmware version you want to check.
  3. Tap or click Device Info.
    • If Firmware is 1.8.1_9169 or greater, then your Arlo base station is protected from the default password vulnerability.
    • If your firmware version is not at least 1.8.1_9169, complete a manual firmware upgrade as described in this knowledge base article: How do I update my Arlo firmware manually?.
  4. Repeat steps 1-3 for each Arlo base station.

To verify that your Arlo Q or Arlo Q Plus camera is protected from the Arlo WiFi default password vulnerability:

  1. Launch the Arlo app or log in to your Arlo account on the web portal.
  2. Tap or click Settings > My Devices and select the camera whose firmware version you want to check.
  3. Tap or click Device Info.
    • If Firmware is 1.8.3_9642 or greater, then your Arlo Q or Arlo Q Plus camera is protected from the default password vulnerability.
    • If your firmware version is not at least 1.8.3_9642, complete a manual firmware upgrade as described in this knowledge base article: How do I update my Arlo firmware manually?.
  4. Repeat steps 1-3 for each Arlo Q or Arlo Q Plus camera.

 

If your Arlo base station is not currently online, Arlo strongly recommends that you complete these steps to address the vulnerability for each Arlo base station.

To upgrade your Arlo base station firmware:

  1. Connect the Arlo base station to your router.
    For more information about connecting your base station, see How do I connect my Arlo or Arlo Pro base station to the Internet?.
  2. If you disconnected the base station from your account or if you never connected your base station, complete the new system setup process as described in the Arlo Quick Start Guide.
  3. Complete a manual firmware upgrade as described in this knowledge base article: How do I update my Arlo firmware manually?.
    • If no firmware upgrade is available for your base station, your firmware is already up to date and you are protected from the Arlo WiFi default password vulnerability.
    • If any of your Arlo Wire-Free cameras are powered off, have low batteries, or are disconnected from your account, you might need to resync them with the base station before you can use them again.
  4. (Optional) To verify that your base station is protected from the security vulnerability, complete the earlier procedure titled “To verify that your Arlo base station is protected from the Arlo WiFi default password vulnerability.”

 

If your Arlo Q or Q Plus camera is not currently online, Arlo strongly recommends that you complete these steps to address the vulnerability for each camera.

To upgrade your Arlo Q or Q Plus firmware:

  1. Connect the Arlo Q or Arlo Q Plus camera to your Internet network as described in the Arlo Q and Arlo Q Plus User Manual.
  2. If you disconnected the camera from your account or if you never connected your camera, complete the new system setup process as described in the Arlo Q and Arlo Q Plus User Manual.
  3. Complete a manual firmware upgrade as described in this knowledge base article: How do I update my Arlo firmware manually?.
    • If no firmware upgrade is available for your camera, your firmware is already up to date and you are protected from the Arlo WiFi default password vulnerability.
  4. (Optional) To verify that your camera is protected from the security vulnerability, complete the earlier procedure titled “To verify that your Arlo Q or Arlo Q Plus camera is protected from the Arlo WiFi default password vulnerability.”

If the recommended steps are not completed as described, the potential for the Arlo WiFi default password vulnerability will remain and hackers might be able to log in to the Arlo base station or Arlo Q camera or Arlo Q Plus camera and capture traffic and images. Arlo is not responsible for any consequences that could have been avoided by upgrading the firmware as stated in this notification.

We appreciate and value having security concerns brought to our attention. Arlo constantly monitors for both known and unknown threats. Being pro-active rather than re-active to emerging security issues is fundamental for product support at Arlo.

To report a security vulnerability, visit https://bugcrowd.com/arlo

If you are a Arlo customer with a security-related support concern, you can contact Arlo customer support at customerservice@arlo.com

For all other issues, visit https://www.arlo.com/en-us/about/security/.