Concerns about Reolink Camera Access Security
-
I have developed some security type concerns over several new cameras I've purchased.
1. After registering all of my cameras on the Reolink website for warranty, I began to wonder why the camera’s UID was needed for the registering when the Serial Number is already available. Isn’t the product-UID used to access the device from OUTSIDE of your home’s LAN? Then I realized that there doesn’t seem to be a way to edit and remove those UID numbers from the Reolink website. How can I remove these numbers off of the Reolink website where they are recorded?
2. After I had purchased a new Duo3 and connected it up to my home network, shortly after that my network security (provided by AT&T) blocked an attempt that it made to access an outside IP address at 129.146.110.167. Why in the world would my camera be trying to “phone home” (or whatever it was doing out there)? I have not set up any kind of cloud service for it to use. What is going on here?0View 6 replies-
Almost every "Internet of Things" device that I am aware of opens a connection to the manufacturer cloud so that the smartphone app can communicate with the device. (smart plugs, cameras, garage door openers, light bulbs, etc. In order to access a Reolink camera from the internet using the Reolink app, the user has to have (a) the UID, and (b) the camera password.
Fascinating that the AT&T system identifies the specific device which opened a connection to a remote IP address. Was there a specific "alert" about this specific connection (as opposed to the thousands of other connections made all day long by other devices)? -
@Drive Mad: I'm thinking this too! I have been interested in this camera for a long time and now have the opportunity to own one. What you said is exactly what I'm worried about, didn't set up any cloud service but still.
-
@user_867198496854215_867198496854215 just search my posts on P2P relay servers and you will find everything.
-
@wisemanjaw
I have a RLN12W that has 10 cameras attached to it. Some WiFi, some PoE (including two of each Duo2 (WiFi) and Duo3 (PoE)). The RLN12W has an option to disable the "IoT" which may address your concern. Not sure about the other NVRs Reolink offers, but I would assume that almost all of them would have the option directly on the NVR. My RLA-PS1 does not have this option, as it is a passive device. I can not disable this from my desktop Client or iPhone app.
The other option would be to disconnect whatever you're using as a "hub" from the internet. I have heard of others do this and something I've considered myself in my use case.
Is there a way to disable this directly from the camera, if you do not use a specific hub (such as in the case where you are using a microSD card instead of an NVR)? -
I have tried to respond to your question but everything keeps getting rejected. What gives?
-
@wisemanjaw This is obviously an important issue in these modern scary times. It seems to me that we have to take quite a bit on trust. There are three scenarios I have come up with:
- Do not connect your cameras and other connected devices to the internet - set up a VLAN for them which cannot get to the internet. Or alternatively block every individual device in the router (based on its MAC address) if it has that functionality.
- Allow the devices to connect to the internet in which case you can access them from anywhere using their UIDs, which is undoubtedly very convenient. Ensure that the username and password are BOTH changed from the default settings and the default "admin" user is disabled. The safety of this scenario depends on trusting that Reolink do not surreptitiously upload the username and password you have set to their "DDNS" or relay system and then make use of them. Hopefully this is not the case.
- Do not change the default settings for username and password (much harder for this to happen now for newer devices that the EU has mandated that this should happen automatically when the camera is first set up) and then your cameras are less secure but this still depends on someone finding out the UID. This could however be achieved through randomly trying UIDs, although hard to target any individual this way.
It is pretty certain that the access to 129.146.110.167 would be for the purposes of registering the IP address which corresponds to the UID. -
user_846994761957606 I had the same problem - this board has a ridiculous limitation on how often you can post (only once every 24 HOURS!) which is undoubtedly more inconvenient for legitimate posters than serving any purpose to stop illegitimate ones.
-
@nick_26792935116 I have already told them but they limit this due to scams. At Reddit there is no issue how often you post and it is more lively.... I am there too but not as a moderator despite that I am the most technically qualified :).
Moreover there are lots of active users who provide support and sometimes the complaints raised are quite interesting. Here..........a few replies.
So if you have a complain raise it in Reddit.
-
-
I believe for Reolink their "Cloud Service" refers to the ability to store video recordings "in the cloud", in addition to on an SD card in the physical camera. (If someone steals the camera, the SD card is no longer accessible.)
As far as I am aware, the only way to prevent Internet of Things devices from opening an internet connection is to block them at the customer router. Some home routers have an option to "Block Services", which prevents specific devices from using the internet.
