Navigation

    Home
    All Categories
    • KEEN Trail Camera
    • Announcements and News
    • Wishlist
    • #ReolinkTrial
    • Discussion About Products
    • Reolink Captures
    • Reolink Client & APP
    #ReolinkTrial
    Reolink Captures
    Log in to post
    Guest
    • Guest
    • Register
    • Login

    Halloween Sale Is Here

    Learn More

    Flash Sale Today!

    Learn More

    Duo 2 Firmware Update and Tips: Better AI Detection & Email Alerts Learn More

    APP v4.34 Update: Add Tracking Range & Fix Sensitivity Bug Learn More

    Reolink Camera API User Guide_V7 (Update in Sept 2022) Learn More

    TrackMix New Firmware Update: Auto-Tracking Range & Tracking Schedule Learn More

    P2P/UID Security Vulnerability

    Discussion About Products
    uid p2p vulnerability security reolink app
    3
    8
    662
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • schonuf
      schonuf last edited by schonuf

      Have the vulnerabilities discussed below been fully addressed and fixed? I realize that the UID can be disabled, but if the UID is enabled, have these underlying vulnerabilities been mitigated? Would it be possible to secure the P2P feature with additional security measures like multi-factor authentication or a user-defined verification code along with the UID to access the stream (in addition to the credentials...)? If not, is there a better way to secure this protocol aside from enabling VPN access and blocking its access to the internet? I would very much like to have the push notifications enabled, but not sacrificing privacy and security.

      USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321

      An attacker with local network access can obtain a fixed cryptography key which may allow for further compromise of Reolink P2P cameras outside of local network access. CVE-2020-25173 has been assigned to this vulnerability. 

      CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

      The affected Reolink P2P products do not sufficiently protect data transferred between the local device and Reolink servers. This can allow an attacker to access sensitive information, such as camera feeds. CVE-2020-25169 has been assigned to this vulnerability.

      Reply Quote
      Share
      • Share this Post
      • Facebook
      • Twitter
      • copy the link
        Copied!
       0
        • Reolink Fiona
          Reolink Fiona Administrators @schonuf last edited by Reolink Fiona

          @schonuf
          Please don't worry. We have fixed issues with the latest firmware (released in Jan. 2021) for the cameras affected. We have informed CISA about the update already and you may take the advisory as a record of solved vulnerabilities.

          We want to clarify that all sensitive information is secured by & transmitted under hard-coded cryptograhic key. Also, there is no clear-text transmission of sensitive information.

          We treat users' privacy as our priority and we never transmit users' accounts and passwords in any means. We have applied new and more reliable cryptography, Digest Authentication, in the latest firmware for the cameras affected. 

          Anyway, big thanks for letting us know your concern and we will keep delivering good products and reliable services in the future. If you have any questions, feel free to let us know.

          Reply Quote
          Share
          • Share this Post
          • Facebook
          • Twitter
          • copy the link
            Copied!
           0
          • schonuf
            schonuf @Reolink Fiona last edited by

            Thank you @reolink-fiona for the clarification and fixing the issue with your cameras. Are there any plans to integrate MFA/2FA, verification codes, etc. to further secure the UID/P2P stream?

            Reply Quote
            Share
            • Share this Post
            • Facebook
            • Twitter
            • copy the link
              Copied!
             0
            View 5 replies
          • First post
            Last post
          All Categories
          Announcements and News Reolink Client & APP Discussion About Products #ReolinkTrial Reolink Captures Wishlist KEEN Trail Camera
          Never miss Reolink hot deals, news, and updates tailored for you.

          Thanks for your subscription!

          Please enter a valid email address.

          Oops… Something went wrong. Please try again later.

          You are already subscribed to this email list. :)

          Submission failed. Please try again later.

          Reolink Store|Support|About Us|Privacy Policy|Terms and Conditions

          Copyright 2022 © Reolink All Rights Reserved.

          Welcome Back!

          Hi there! Join the Commnunity to get all the latest news, tips and more!

          Join Now