Navigation

    Community
     reolink reolink  reolink reolink
    • Search
    • Store
    • Community
    • Support
    • Register
    • Login

    P2P/UID Security Vulnerability

    Discussion About Products
    uid p2p vulnerability security reolink app
    3
    8
    167
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • schonuf
      schonuf last edited by schonuf

      Have the vulnerabilities discussed below been fully addressed and fixed? I realize that the UID can be disabled, but if the UID is enabled, have these underlying vulnerabilities been mitigated? Would it be possible to secure the P2P feature with additional security measures like multi-factor authentication or a user-defined verification code along with the UID to access the stream (in addition to the credentials...)? If not, is there a better way to secure this protocol aside from enabling VPN access and blocking its access to the internet? I would very much like to have the push notifications enabled, but not sacrificing privacy and security.

      USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321

      An attacker with local network access can obtain a fixed cryptography key which may allow for further compromise of Reolink P2P cameras outside of local network access. CVE-2020-25173 has been assigned to this vulnerability. 

      CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

      The affected Reolink P2P products do not sufficiently protect data transferred between the local device and Reolink servers. This can allow an attacker to access sensitive information, such as camera feeds. CVE-2020-25169 has been assigned to this vulnerability.

      Reolink Fiona 1 Reply Last reply Reply Quote 0
      • Reolink Fiona
        Reolink Fiona Administrators @schonuf last edited by Reolink Fiona

        @schonuf
        Please don't worry. We have fixed issues with the latest firmware (released in Jan. 2021) for the cameras affected. We have informed CISA about the update already and you may take the advisory as a record of solved vulnerabilities.

        We want to clarify that all sensitive information is secured by & transmitted under hard-coded cryptograhic key. Also, there is no clear-text transmission of sensitive information.

        We treat users' privacy as our priority and we never transmit users' accounts and passwords in any means. We have applied new and more reliable cryptography, Digest Authentication, in the latest firmware for the cameras affected. 

        Anyway, big thanks for letting us know your concern and we will keep delivering good products and reliable services in the future. If you have any questions, feel free to let us know.

        schonuf gastaldelli_529363015250114 2 Replies Last reply Reply Quote 0
        • schonuf
          schonuf @Reolink Fiona last edited by

          Thank you @reolink-fiona for the clarification and fixing the issue with your cameras. Are there any plans to integrate MFA/2FA, verification codes, etc. to further secure the UID/P2P stream?

          Reolink Fiona 1 Reply Last reply Reply Quote 0
          • Reolink Fiona
            Reolink Fiona Administrators @schonuf last edited by

            @schonuf Thank you for your suggestions. I will forward your request to the product team. For the login security, now the camera with the latest AI firmware will be locked for a few seconds after the wrong password. We will seek more ways to secure the P2P or login security.

            schonuf 1 Reply Last reply Reply Quote 0
            • schonuf
              schonuf @Reolink Fiona last edited by schonuf

              @reolink-fiona Is it possible to increase the cool-off period to several minutes rather than seconds when connecting via P2P (upwards of 30-minutes to 60-minutes after repeated fails)?

              Reolink Fiona 1 Reply Last reply Reply Quote 0
              • Reolink Fiona
                Reolink Fiona Administrators @schonuf last edited by

                @schonuf Thank you for the suggestion. I will forward the suggestion to the product team to seek possibilities.

                1 Reply Last reply Reply Quote 1
                • gastaldelli_529363015250114
                  gastaldelli @Reolink Fiona last edited by

                  @reolink-fiona, in your previous response it is not clear if Reolink still uses hardcoded cryptographic keys or not. Could you please confirm if all hardcoded keys have been removed from all protocols and software used by the cameras and NVRs and replaced with secure key exchange?
                  Thank you.

                  Reolink Fiona 1 Reply Last reply Reply Quote 0
                  • Reolink Fiona
                    Reolink Fiona Administrators @gastaldelli last edited by

                    @gastaldelli_529363015250114
                    Hi there, now we have changed to the "digest authentication" to secure the information. Please don't worry. You can keep updated your firmware. We will try to add more secure ways to guarantee safety.

                    1 Reply Last reply Reply Quote 0
                    • 1 / 1
                    • First post
                      Last post
                    Reolink cloud reolink reolink Reolink cloud reolink reolink

                    Reolink Store|Support|About Us|Privacy Policy|Terms and Conditions

                    Copyright 2021 © Reolink All Rights Reserved.