/, Security, Software/Reolink APP Security Concern?

Reolink APP Security Concern?

***Please see the update at the end of the article***

I have been a fan of Reolink IP cameras for years and recently experienced something that was a bit disturbing to me and wanted to draw attention to it. I often do my own hardware reviews for my blog and while testing the new Argus wireless camera, I ran across an issue that left me a bit puzzled, not to mention concerned. As the Argus is a standalone battery-operated camera, it requires an IOS/Android app to setup and configure. After loading the app I was not very surprised when the app pulled up all my other Reolink cameras that are connected to my internal network. However, what surprised me was the app could detect and communicate with all the cameras even when I was outside of my network without any configuration or setup on my part. I had not created any account or forwarded any ports, no UpNP, and I have used custom ports on each camera to avoid defaults. I was completely surprised how this app could setup a connection to access cameras on a locked down internal network from outside without me knowing about it or giving it permission to do this. All the ports I have used for the cameras are closed and route directly to Blue Iris camera software on a standalone PC. If I try and access the cameras directly from a browser outside my network they are blocked, but yet “all” show up when using the app. As I use Sophos XG as my firewall, it was trivial to block these devices once I discovered the issue. What was concerning to me is that by simply installing this app on my iPhone it allowed communication to and from all my Reolink cameras on my internal network without my knowledge or consent. I am certainly not a security expert but this seems like a very bad idea. I did some additional testing selectively blocking each camera with my firewall, but it still allowed the remaining cameras to connect and communicate independently. Meaning that each camera can establish an independent connection through the app on its own. We wonder why we have DDos attacks. I will probably replace all my Reolink cameras in the near future as budget permits but in the meantime, I have blocked all my Reolink cameras on my firewall and only access them through VPN/Blue Iris. I hope there is a logical and reasonable explanation for this but in the interim, I thought it was important to share this with everyone. If you do have a Reolink product, make sure you check it carefully and that you block these devices from external communication. I certainly hope the folks at Reolink fix this in the near future or risk losing a couple of customers like me along the way.

 

Update 8/27/17

I was contacted by Reolink tech support and below is the extract of our conversation.  I appreciate their quick response and clarification on this.  Though I still have some questions about how this was all setup, I do respect their response and the level of customer service.  A special thanks to team at Reolink that responded. _______________________________________ Hello Mike, so sorry for the misunderstanding caused. The only reason why you can access the cameras outside your network lies in that you’ve configured those cameras in the App when you were in the internal network. Nobody can access your cameras outside the network unless you share the UID with them. If you still have doubts on this issue, it’s recommended to try to access those cameras outside your network with another smartphone that didn’t access to those cameras before. Hope this clarify your questions. For any question, please don’t hesitate to contact our support team at support@reolink.com. Thanks! My Response (8/27/17: Thanks for the reply and explanation. I did verify your statements however my suggestion is that a few more warnings be put when setting up the software. I did not choose to add the other cameras as they just showed up and it would have been nice to receive a warning or acknowledgement of some kind. I am sure your app is safe but over critical users like me,want to know when we are giving permissions. Thanks again for the reply and if you do not mind I will post your response to my blog post so that I represent both sides. _______________________________________ Their follow up response. Hi Mike, the cameras showed up on your App because your phone was on the same internet connection with them. However, you can’t do anything with it or get live view with it if you don’t have the UID and passwords. It’s only to provide convenience when you need to connect them on your phone so that you don’t have to scan them one by one, one more time. Nobody can temper with them unless you share your UID and password. I believe it’s permission needed to some extend. Still, thank you for your suggestions and I’ll forward them to our R&D team. As for the blog, I’ve noticed that you’ve got many readers and reactions there. Your blog may somehow lead to misunderstanding about our brand and App for your readers. Since you’re sure our App is safe now, we will truly appreciate it if you can modify it. Thank you so much for your understanding. Please let me know if you need more info.

By |2018-01-04T15:37:47+00:00August 28th, 2017|IOS Apps, Security, Software|1 Comment

About the Author:

I am an enthusiast with more than 25 years of experience and passion in computer technology. For the past 10 years I have been drawn to home theater, media distribution, portable devices, and home storage solutions. I strive to stay current in consumer technology and I am constantly experimenting with different products and philosophies to achieve the best results. I spend most of my free time trying, testing, and experimenting with various hardware and software products and endeavor to pass on whatever I learn to others.

One Comment

  1. DanO 05/18/2018 at 3:20 PM

    Great Article. I ran across this when I was setting up my reolink camera. I was concerned when I downloaded the Reolink app on my phone to connect to my camera. I then turned off wifi on my phone so I knew it was not connected to the internal network.I then scanned the QR Code on the camera, and it immediately registered the camera and showed me the views – even though I never authenticated and wifi was still turned off. So I am wondering if you know how with wifi turned off, the app worked and (must have known) to direct my request via an external network to my camera. My suspicion is when I registered the camera on the desktop REO client (which I had done first on the internal network, it sent the external IP address to reolink saying this camera exists at this external IP. Any thoughts?

Leave A Comment