Major security flaw in ALL new model Reolink cameras.

user_612681119584296_612681119584296

As I explained in this thread that is now being ignored...

https://community.reolink.com/topic/4446/rln36-kills-all-my-camers-major-security-flaw-found?post_id=18907&_=1673150083648

I purchased a new NVR system. All of my cameras were on a dedicated VLAN and have specific IP addresses plugged in. I purchased the NVR as a backup and hopefully a replacement for my power hungry Blueiris NVR. I powered the thing on and connected it to my dedicated VLAN. One by one every recent REOLINK branded camera went dark despite the device not having a user name and password for any of them. All of them had a static DHCP address assigned but yet this off the shelf NVR hijacked all of them and took them offline.

I get that it makes the system easier to configure cameras for new people to but there has to be an option to turn this feature off. It has to use a workaround to take over the cameras. I keep replying to the original thread and I have stopped getting responses. If I can hook up a $200 NVR to a system with cameras having passwords and they simply roll over and change their IPs then it is very easy to conclude people can exploit this issue.

If you arnt going to fix it at least explain which port I need to block to prevent someone from sending a command and completely circumventing my configuration.

joseph_1979

@user_612681119584296_612681119584296 When the Reolink NVR is switched on it will automatically scan the network for any Reolink camera using a proprietary protocol and if DHCP is on it will assign them an IP. Have you emailed Reolink support?

user_612681119584296_612681119584296

@joseph-chircop_497308027822318

It should not be able to take over the cameras. Reolink support has responded to my above thread.

Will manually sitting the IP address on the camera fix this problem? Because if the device has an address from DHCP it should not change unless the DHCP server that sat it changes it. This is essentially imitating a man in the middle attack but the cameras are designed to let it happen. I just want an option to cut it off. The chances of a person exploiting this is low IE if they gain physical access to an ethernet cable they could just feed it 96v DC and probably force shut down most POE switches. But I really would like to eliminate it.

joseph_1979

@user_612681119584296_612681119584296 How did you connect the NVR? You should have connected it to the router so that it will take the IP from the router.

bits_67665092824

@user_612681119584296_612681119584296

Reolink have a proprietary protocol for NVR auto assigning IP's that the cameras prefer over DHCP.
Having multiple IP assigning servers on the same network will always cause issues.
All devices configured for DHCP are prone to IP reassignment unless a layer 3 switch with effective configured security policy is in use.
Your assumptions that any client is safe from another DHCP server getting connected to a network are mislead.
The non Reolink devices were unimpacted this time because the Reolink NVR does not run a DHCP server, it is proprietary.

For mixed network connection allowing for direct network access to individual cameras aka allow bypassing the NVR:
Static assign the cameras to prevent your issue. And only connect the NVR's WAN port to your network..

For isolated camera only network where individual cameras are unreachable from data network aka only connect via NVR:
Plug 1 (or more) of the 4 NVR LAN ports towards your camera only VLAN and let the NVR manage the cameras as Reolink suggest in the FAQ for the device.

PS it appears Reolink have misleading WAN/LAN names in some docs I found. Although I do not have the 36 channel device myself the WAN will be the single port. The LAN will be the 4 ports.

Regarding the passwords I have always found recent Reolink NVR assume username of admin and a password of blank.
Many years ago I believe Reolink NVR's expected passwords like admin/12345 and admin/123456.
It will auto log in to cameras with admin/<blank>.
The NVR does not change the camera passwords from that, they remain as admin/<blank>.
If cameras have had their password changed, local on NVR will simply show invalid password for the channel.

What password do you believe the NVR has change the cameras to? The NVR's password?
I have never seen that behaviour from my Reolink NVR's.