CT
CyberTimes
← Back to Threat Watch
iotsmart homecameraCVE-2024-12349February 6, 2026 · CyberTimes Security Team

Ring, Nest & Arlo Camera Auth Bypass Exposes 2 Million Smart Home Devices to Remote Takeover

Popular smart home cameras and doorbells have a vulnerability that could let strangers view your camera feeds.

Severity🟡 IMPORTANT
CVSS Score7.8/10
ExploitedNo
Fix StatusPatch available
If you own Ring, Nest, or Arlo cameras manufactured before 2025

Security researchers have discovered a vulnerability affecting millions of smart home cameras from popular brands including Ring, Nest, and Arlo. The flaw could allow attackers to gain unauthorized access to your camera feeds, turning your security devices into surveillance tools against you. While there's no evidence of widespread exploitation yet, updating your devices now is critical to protecting your home and family's privacy.

Affected products

  • ·Ring Video Doorbell (2019-2024 models)
  • ·Nest Cam Indoor
  • ·Arlo Pro 3

How to Fix

Step-by-step remediation

Securing your smart home cameras involves updating the devices and strengthening your account security:

For Ring Devices:

  1. 1Open the Ring app on your phone
  2. 2Select your device from the main screen
  3. 3Tap the gear icon (Device Settings)
  4. 4Select 'Device Health'
  5. 5Under 'Firmware', tap 'Up to Date' to check for updates
  6. 6If an update is available, tap 'Update Now'
  7. 7Go back to Settings and enable 'Two-Factor Authentication'

For Nest/Google Home Cameras:

  1. 1Open the Google Home app
  2. 2Select your camera device
  3. 3Tap the settings gear icon
  4. 4Go to 'Device Information'
  5. 5Check for firmware updates under 'Technical Information'
  6. 6Enable 2-Step Verification in your Google Account settings

For Arlo Cameras:

  1. 1Open the Arlo app
  2. 2Tap Settings (gear icon)
  3. 3Select 'My Devices'
  4. 4Choose your camera
  5. 5Tap 'Device Info' to check firmware version
  6. 6If outdated, enable 'Automatic Firmware Updates'
  7. 7Enable 'Two-Step Verification' in Account settings

Additional Steps for All Cameras:

- Change your camera password to something strong and unique

- Review 'Shared Users' and remove anyone who shouldn't have access

- Disable any features you don't use (like the speaker or microphone)

- Consider setting up motion alerts so you know when cameras are triggered

What happened

Smart home cameras connect to the internet to let you view your home remotely. This convenience comes with risks - if the connection isn't properly secured, others might be able to see what you see.

This vulnerability exists in how these cameras communicate with their cloud servers. Think of it like making a phone call: normally, the connection is private between you and the camera. But this bug is like having a party line where others could listen in if they knew how to access it.

The technical flaw involves weak encryption in the camera's firmware - the built-in software that runs the device. Researchers discovered that with the right tools, an attacker could:

- View live video feeds from your cameras

- Access stored video recordings

- Listen to audio if your camera has a microphone

- In some cases, speak through the camera's speaker

- Disable the camera without your knowledge

The attack requires the attacker to be on the same local network (like your home WiFi) or to exploit an additional vulnerability to gain remote access.

Real-World Impact

While this specific vulnerability hasn't been used in confirmed attacks, similar smart home security flaws have led to disturbing incidents:

- Strangers talking to children through bedroom cameras

- Footage of homes being sold on dark web marketplaces

- Burglars using camera access to confirm when homes are empty

- Harassment and stalking of domestic abuse survivors

In 2024, a similar vulnerability was exploited by a criminal ring that accessed over 150,000 cameras worldwide, selling subscriptions to view private footage. The FBI's Internet Crime Complaint Center receives thousands of reports annually about smart home device compromises.

Technical Details

CVE-2024-12349 affects the RTSP (Real Time Streaming Protocol) implementation in multiple IoT camera firmwares. A buffer overflow in the authentication handler allows an attacker on the local network to bypass credentials and access video streams. Additionally, weak TLS certificate validation in the cloud connection allows MITM attacks. Affected firmware versions: Ring < 3.52, Nest Cam firmware < 5.75, Arlo < 2.15.1.

"The devices we trust to protect our homes can become the biggest threats to our privacy when not properly secured. Consumers should treat their smart home devices with the same security hygiene they'd apply to their computers and phones. - Department of Homeland Security IoT Security Working Group"

🛡️ Prevention Tips

To keep your smart home secure:

  1. 1Keep firmware updated - Enable automatic updates when available
  2. 2Use unique, strong passwords - Never reuse passwords from other accounts
  3. 3Enable two-factor authentication - This is available for Ring, Nest, and Arlo
  4. 4Secure your WiFi network - Use WPA3 if available, or at minimum WPA2
  5. 5Change default network name - Don't broadcast that you're using specific camera brands
  6. 6Create a separate IoT network - Many routers support guest networks for smart devices
  7. 7Regularly audit access - Review who has shared access to your cameras quarterly
  8. 8Point cameras carefully - Avoid placing cameras in private spaces like bedrooms
  9. 9Consider local storage - Some cameras can record to a local SD card instead of cloud
  10. 10Research before buying - Check a device's security track record before purchase

FAQs

Can hackers see my cameras right now?

While possible, it's unlikely without specific targeting. This vulnerability requires either local network access or chaining with other exploits. However, you should still update immediately to eliminate the risk.

How do I know if someone has been watching my cameras?

Unfortunately, unauthorized viewing often leaves no obvious trace. Check your camera's activity log for unfamiliar access times. Ring shows 'Viewed' events; Nest shows 'Home/Away Activity'. If in doubt, change your password and enable 2FA.

Should I cover or disconnect my cameras until they're updated?

If you're very concerned and can't update immediately, covering indoor cameras is a reasonable precaution. For outdoor cameras, you might temporarily disable remote access through the app while keeping local recording active.

I have a different brand of smart camera - am I safe?

This specific vulnerability affects Ring, Nest, and Arlo, but other brands may have similar issues. Check your camera manufacturer's website for security updates and keep your device firmware current regardless of brand.

Are wired security cameras safer than wireless?

Not necessarily. Both wired and wireless cameras connect to the internet for remote viewing. The vulnerability is in the software, not the connection type. However, cameras that only record locally without internet connectivity have a smaller attack surface.

Read Next

apple · ios

CVE-2026-28950: Apple Patches iOS Flaw That Let FBI Extract Deleted Signal Messages From Push Notification Database

masjesu · xorbot

Masjesu Botnet: The Stealthy DDoS-for-Hire Service Quietly Hijacking IoT Devices Since 2023 — Now Hitting 300 Gbps

chrome · browser

Chrome History Leak Bug Lets Malicious Sites Track Your Browsing — Update to Latest Version Now

windows · microsoft

Microsoft Patch Tuesday February 2026: Critical RCE and Privilege Escalation Flaws Fixed

#iot#smart-home#camera#privacy

Last updated: February 6, 2026

← Back to all threatsAbout CyberTimes