Halloween Sale Is Here
Flash Sale Today!
Duo 2 Firmware Update and Tips: Better AI Detection & Email Alerts
APP v4.34 Update: Add Tracking Range & Fix Sensitivity Bug
Reolink Camera API User Guide_V7 (Update in Sept 2022)
TrackMix New Firmware Update: Auto-Tracking Range & Tracking Schedule
Have the vulnerabilities discussed below been fully addressed and fixed? I realize that the UID can be disabled, but if the UID is enabled, have these underlying vulnerabilities been mitigated? Would it be possible to secure the P2P feature with additional security measures like multi-factor authentication or a user-defined verification code along with the UID to access the stream (in addition to the credentials...)? If not, is there a better way to secure this protocol aside from enabling VPN access and blocking its access to the internet? I would very much like to have the push notifications enabled, but not sacrificing privacy and security.
An attacker with local network access can obtain a fixed cryptography key which may allow for further compromise of Reolink P2P cameras outside of local network access. CVE-2020-25173 has been assigned to this vulnerability.
The affected Reolink P2P products do not sufficiently protect data transferred between the local device and Reolink servers. This can allow an attacker to access sensitive information, such as camera feeds. CVE-2020-25169 has been assigned to this vulnerability.
@schonuf Please don't worry. We have fixed issues with the latest firmware (released in Jan. 2021) for the cameras affected. We have informed CISA about the update already and you may take the advisory as a record of solved vulnerabilities.We want to clarify that all sensitive information is secured by & transmitted under hard-coded cryptograhic key. Also, there is no clear-text transmission of sensitive information.We treat users' privacy as our priority and we never transmit users' accounts and passwords in any means. We have applied new and more reliable cryptography, Digest Authentication, in the latest firmware for the cameras affected. Anyway, big thanks for letting us know your concern and we will keep delivering good products and reliable services in the future. If you have any questions, feel free to let us know.
Thank you @reolink-fiona for the clarification and fixing the issue with your cameras. Are there any plans to integrate MFA/2FA, verification codes, etc. to further secure the UID/P2P stream?
Hi there! Join the Commnunity to get all the latest news, tips and more!