21/07/2021

Rooting an Arlo Q Plus Camera (SSH πŸ”™πŸšͺ?!)

In this short video we show you how we discovered and used a backdoor in Arlo Q Plus to gain a root access to a device.

1. We identified the UART console

2. Dumped the NAND firmware

3. Found and cracked hardcoded SSH root account

4. Discovered a special operation mode to enable SSH

The vulnerability was disclosed to the vendor via ZDI (ZDI-21-683) and tracked under CVE-2021-31505.

Advisory: https://www.zerodayinitiative.com/advisories/ZDI-21-683/

Fixed version: VMC3040S: 1.9.0.8_199_3707910 (according to Arlo, we didn't test the fix)

Previous

DNS Remote Code Execution: Finding the Vulnerability πŸ‘Ύ (Part 1)

Next

Extracting Firmware from Embedded Devices (SPI NOR Flash) ⚑