***Please see the update at the end of the article***
I have been a fan of Reolink IP cameras for years and recently experienced something that was a bit disturbing to me and wanted to draw attention to it. I often do my own hardware reviews for my blog and while testing the new Argus wireless camera, I ran across an issue that left me a bit puzzled, not to mention concerned. As the Argus is a standalone battery-operated camera, it requires an IOS/Android app to setup and configure. After loading the app I was not very surprised when the app pulled up all my other Reolink cameras that are connected to my internal network. However, what surprised me was the app could detect and communicate with all the cameras even when I was outside of my network without any configuration or setup on my part. I had not created any account or forwarded any ports, no UpNP, and I have used custom ports on each camera to avoid defaults. I was completely surprised how this app could setup a connection to access cameras on a locked down internal network from outside without me knowing about it or giving it permission to do this. All the ports I have used for the cameras are closed and route directly to Blue Iris camera software on a standalone PC. If I try and access the cameras directly from a browser outside my network they are blocked, but yet “all” show up when using the app. As I use Sophos XG as my firewall, it was trivial to block these devices once I discovered the issue. What was concerning to me is that by simply installing this app on my iPhone it allowed communication to and from all my Reolink cameras on my internal network without my knowledge or consent. I am certainly not a security expert but this seems like a very bad idea. I did some additional testing selectively blocking each camera with my firewall, but it still allowed the remaining cameras to connect and communicate independently. Meaning that each camera can establish an independent connection through the app on its own. We wonder why we have DDos attacks. I will probably replace all my Reolink cameras in the near future as budget permits but in the meantime, I have blocked all my Reolink cameras on my firewall and only access them through VPN/Blue Iris. I hope there is a logical and reasonable explanation for this but in the interim, I thought it was important to share this with everyone. If you do have a Reolink product, make sure you check it carefully and that you block these devices from external communication. I certainly hope the folks at Reolink fix this in the near future or risk losing a couple of customers like me along the way.
I was contacted by Reolink tech support and below is the extract of our conversation. I appreciate their quick response and clarification on this. Though I still have some questions about how this was all setup, I do respect their response and the level of customer service. A special thanks to team at Reolink that responded. _______________________________________ Hello Mike, so sorry for the misunderstanding caused. The only reason why you can access the cameras outside your network lies in that you’ve configured those cameras in the App when you were in the internal network. Nobody can access your cameras outside the network unless you share the UID with them. If you still have doubts on this issue, it’s recommended to try to access those cameras outside your network with another smartphone that didn’t access to those cameras before. Hope this clarify your questions. For any question, please don’t hesitate to contact our support team at firstname.lastname@example.org. Thanks! My Response (8/27/17: Thanks for the reply and explanation. I did verify your statements however my suggestion is that a few more warnings be put when setting up the software. I did not choose to add the other cameras as they just showed up and it would have been nice to receive a warning or acknowledgement of some kind. I am sure your app is safe but over critical users like me,want to know when we are giving permissions. Thanks again for the reply and if you do not mind I will post your response to my blog post so that I represent both sides. _______________________________________ Their follow up response. Hi Mike, the cameras showed up on your App because your phone was on the same internet connection with them. However, you can’t do anything with it or get live view with it if you don’t have the UID and passwords. It’s only to provide convenience when you need to connect them on your phone so that you don’t have to scan them one by one, one more time. Nobody can temper with them unless you share your UID and password. I believe it’s permission needed to some extend. Still, thank you for your suggestions and I’ll forward them to our R&D team. As for the blog, I’ve noticed that you’ve got many readers and reactions there. Your blog may somehow lead to misunderstanding about our brand and App for your readers. Since you’re sure our App is safe now, we will truly appreciate it if you can modify it. Thank you so much for your understanding. Please let me know if you need more info.