P2P/UID Security Vulnerability

schonuf

Have the vulnerabilities discussed below been fully addressed and fixed? I realize that the UID can be disabled, but if the UID is enabled, have these underlying vulnerabilities been mitigated? Would it be possible to secure the P2P feature with additional security measures like multi-factor authentication or a user-defined verification code along with the UID to access the stream (in addition to the credentials...)? If not, is there a better way to secure this protocol aside from enabling VPN access and blocking its access to the internet? I would very much like to have the push notifications enabled, but not sacrificing privacy and security.

USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321

An attacker with local network access can obtain a fixed cryptography key which may allow for further compromise of Reolink P2P cameras outside of local network access. CVE-2020-25173 has been assigned to this vulnerability. 

CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The affected Reolink P2P products do not sufficiently protect data transferred between the local device and Reolink servers. This can allow an attacker to access sensitive information, such as camera feeds. CVE-2020-25169 has been assigned to this vulnerability.

Reolink Fiona

@schonuf
Please don't worry. We have fixed issues with the latest firmware (released in Jan. 2021) for the cameras affected. We have informed CISA about the update already and you may take the advisory as a record of solved vulnerabilities.

We want to clarify that all sensitive information is secured by & transmitted under hard-coded cryptograhic key. Also, there is no clear-text transmission of sensitive information.

We treat users' privacy as our priority and we never transmit users' accounts and passwords in any means. We have applied new and more reliable cryptography, Digest Authentication, in the latest firmware for the cameras affected. 

Anyway, big thanks for letting us know your concern and we will keep delivering good products and reliable services in the future. If you have any questions, feel free to let us know.

schonuf

Thank you @reolink-fiona for the clarification and fixing the issue with your cameras. Are there any plans to integrate MFA/2FA, verification codes, etc. to further secure the UID/P2P stream?

Reolink Fiona

@schonuf Thank you for your suggestions. I will forward your request to the product team. For the login security, now the camera with the latest AI firmware will be locked for a few seconds after the wrong password. We will seek more ways to secure the P2P or login security.

schonuf

@reolink-fiona Is it possible to increase the cool-off period to several minutes rather than seconds when connecting via P2P (upwards of 30-minutes to 60-minutes after repeated fails)?

Reolink Fiona

@schonuf Thank you for the suggestion. I will forward the suggestion to the product team to seek possibilities.

gastaldelli_529363015250114

@reolink-fiona, in your previous response it is not clear if Reolink still uses hardcoded cryptographic keys or not. Could you please confirm if all hardcoded keys have been removed from all protocols and software used by the cameras and NVRs and replaced with secure key exchange?
Thank you.

Reolink Fiona

@gastaldelli_529363015250114
Hi there, now we have changed to the "digest authentication" to secure the information. Please don't worry. You can keep updated your firmware. We will try to add more secure ways to guarantee safety.