With a maximum light output of 3000 lumens, the Arlo Pro 3 floodlight camera shines brighter than a car – at least that’s how it’s advertised on the Arlo website. We took a closer look at the battery-powered camera from a security perspective and put it through its paces.

In the dark season, there are many reasons why homeowners place a surveillance camera in their garden. A camera like the Arlo Pro 3 Floodlight comes in handy here, illuminating the garden as bright as day when motion is detected or when needed.

© Arlo

Technical data

With a 13,000mAh battery and 650 grams, the surveillance camera is not quite a lightweight, but according to the manufacturer, it should last up to 6 months without recharging. The 4 megapixel camera records in 2K resolution (2560×1440) and has a 160° wide angle and HDR. In addition to the floodlight (2000lm with battery, 3000lm with optional cable connected), infrared LEDs are also built in, so night vision is possible without the floodlight activated. Strobe light and a siren are available in case of an alarm.

Application

The Arlo app (Android, iOS) was subjected to a static and dynamic analysis. It has many third-party modules, furthermore four trackers (Google Admob, CrashLytics, Firebase Analytics, Swrve) could be identified. The static analysis of the application only found minor gaps in the shared objects (.so files) used, which Arlo should fix. The storage of all security-relevant information is encrypted in the protected area of the app. Furthermore, certificate pinning is active for important connections, so a man-in-the-middle attack was not rewarded with success.

Thanks to Arlo, even a night-time guest in the home office did not go unobserved:

Online communication

The app’s communication was effectively encrypted at all times. The same is also the case for the Arlo Pro 3 Floodlight Camera. From the initial connection to the final stream of the camera image, everything is transmitted encrypted. The scan of the device itself did not reveal any notable vulnerabilities either.

TLS1.2 encrypted communication with Arlo / CloudFlare servers

The default enabled 2-factor authentication via push notification in the app or via SMS is still exemplary.

Privacy

According to Arlo’s privacy policy (as of July 2018), all recorded data is stored and processed worldwide, including the processing of video data, e.g. for person or packet detection. Storage and processing on the user’s continent would be desirable here. Videos are only used for the explicit processing purpose, the user can optionally donate them individually to Arlo for research purposes.

The trackers integrated into the app are not explicitly named, so the privacy policy should be expanded on this point. Furthermore, we recorded data traffic to CloudFlare. This service provider should also be named.

Conclusion

With the Arlo Pro 3 Floodlight Camera, the manufacturer once again shows that IT security did not play a minor role in product development, but was the focus. Secure data transmission and storage are clearly in the spotlight here. Arlo should further expand transparency in the area of privacy, but it is already going a good way here as well.