RLN36 Kills all my camers. Major security flaw found!

user_612681119584296_612681119584296

So I have posted before about getting some more Reolink products namely the RLN36 so I can hopefully transition from a power hungry blue iris server to a new platform. Well I purchased a RLN36 and got around to hooking it up tonight.

All of my cameras are paired with blue iris and every single Reolink camera went offline the second I turned on the new NVR. I cant access the cameras individually from the mobile app or web browser. I am about to try and shut the NVR down and see what happens but the fact this happened at all is disturbing. Yes there is no 100% certain way to guard a independent vlan with wires going into the field. So what you are telling me is that someone only has to purchase a Reolink NVR and either attach it physically or gain access to a wifi network on the same VLAN and completely cripple a system? Why is this a thing? This is a major security flaw.

Meanwhile there seems to be no option for me to add cameras remotely to the thing. So I have to physically drag a monitor out to where I have it hooked up and configure each camera with that little mouse the thing came with???

user_612681119584296_612681119584296

@user_612681119584296_612681119584296

Looking at the logs it has apparently provided a different IP address, login, and passcode to each camera. I never gave the NVR credentials to connect to them? This is a major security issue!!!! There should never be a feature on any manufactures cameras that allows a device to bypass DHCP and reassign IP addresses to the thing without the login and password from the admin. Luckily it resets the cameras when you power cycle the POE port but it still does not change the fact that plugging in the device into the network completely overides the user name and password and changes the IP address.

So, what protocol is the NVR using to do this? Other than just plugging up a reolink NVR to a network of reolink cameras what command can someone on the network send to the cameras to just cause this? Is there a way to turn this off and when are you all planning on releasing firmware upgrades to fix this giant security flaw?

Also, I am glad my camera VLAN is airgapped because this flaw could be used to remotely disable cameras too. Someone really screwed the pooch on this one.

Reolink Fiona

@user_612681119584296_612681119584296
Hi there, I would like to explain something to you.

The NVR and the connected cameras are one. So if you want to view the cameras on the APP/Client, you just need to connect the NVR using the NVR UID.

If you want to connect the NVR camera as a standalone camera, you can connect the PoE switch to the same router as the NVR instead of connecting the switch directly to the NVR. In this way, you can add the cameras to the APP individually.

If you set the password for the individual camera first and then connect it to the NVR, you need to input the password of the camera on the NVR monitor. You can also set the password for the NVR. Guide to set the NVR password: https://support.reolink.com/hc/en-us/articles/900000665623-How-to-Enable-Disable-Password-via-Reolink-PoE-NVR

You can let me know if you have any questions.

user_612681119584296_612681119584296

@reolink-fiona

That isnt my issue. The thing is connected fine. I have a VLAN just for my camera system and that where I connect the NVR to one of the POE ports because it is isolated from the home network VLAN. I then connect the lan port on the NVR to my home network. That part is fine and I could configure the cameras individually if I want to but there should be a way to do it remotely.

My issue is the major security flaw with the cameras. They all have a different passwords and specific network IP addresses I have set for them. However, when I plug in a brand new NVR with none of my credentials on them it still manages to override the settings on the camera and bypass my DHCP server changing the IP address of each camera to something outside of what I want it to be at. This is a major security flaw. These cameras should have no ability to reassign IP addresses without a user name and password. In their current state someone could go to any house or business with a reolink camera installed and simply unplug a camera or gather some other physical access to the system and take over the entire camera system. This is a major flaw.

user_612681119584296_612681119584296

I guess we are not going to get an answer to the issue about the security flaw in your cams?

user_612681119584296_612681119584296

@user_612681119584296_612681119584296

Still going on another month and no reply. No acknowledgement of the security flaw. An off the shelf NVR was connected to the same VLAN as my REOLINK cameras and took every single one of them offline and assigned them new IP addresses.

This was despite the fact they already had assigned IP addresses on the network.

This is a classic man in the middle attack. All new REOLINK cameras are susceptible to this.

KS

@user_612681119584296_612681119584296

If your cameras are plugged into the POE ports of the NVR, they are getting their IP's from the NVR; not your DHCP server. Those IP's will not be routed beyond the NVR ( without actually configuring the static routing on your router or layer 3 switch correctly). You can still have your NVR on a vlan and all those cameras would still be behind that vlan, just not accessible directly by the individual IP's.

As for just plugging in the a new NVR and it taking over your cameras without setting a password, I have never experienced that. ( Unless I never setup a password on the cameras to begins with. In fact, I hate that I have to go to the NVR physically in order to input the username/password of each camera inorder to add the cameras to the NVR at all. ( I do not use the POE ports on the NVR, I have a seperate POE switch and vlans in order to have more control over my system.)

This seems to be the standard configuration for NVR's as it's the same thing I had to do with my older Hikvision system.

user_612681119584296_612681119584296

@ks so I found out some more stuff. Apparently, yes the NVR will basically do a man in the middle attack if you connect it to a network using DHCP. Even though the lease has not expired and the NVR is not the DHCP server. I can plan for that and that is basically a preventable thing. The safest thing would be to set up the network only to allow certain macs. Yes you can get around that but whatever.

I have basically had the NVR sitting until I could figure this stuff out. I have to give a class tomorrow on very basic video recovery from DVRs and NVRs. I hooked up my unconfigured RLN36 thinking it would be perfect since the last few DVR/NVRs I have seen have been reolink. I get a flicker of the power LEDs and nothing on the display. Recently, I had someone bring in a HD connected to a big box unit that would not spin up. In that case they had an improper 19v PSU plugged into a 12v system. I checked the PSU that came with mine and it was a 56V power supply. Hooked a 12v one in and everything booted up fine. So good on Reolink for have voltage protection. The only thing I can think was they sent the 56v PSU with the NVRs not realizing they are not POE.

So, I am going to give a really good class tomorrow about what to expect to find and not find with NVR/DVR setups.

user_612681119584296_612681119584296

@user_612681119584296_612681119584296

I am still looking into this. I brought up the NVR on about 300 inch screen today and showed some folks the basic workings of an NVR. I looked at a few settings and I think I can fix the problem with my NVR taking over the cameras and not being able to access them from other NVRs. That being said I think I need to add each camera a static IP not only in the GUI for each camera but in the DHCP server. Shouldnt be like that but again you shouldnt be able to plug up one thing and take over everything with a certain name brand. As far as the power supply I dont know it is a POE power supply that I would like to explain by someone picking one up and bringing the wrong one back but I have the propper 12v one plugged in now. We will see.

user_612681119584296_612681119584296

@user_612681119584296_612681119584296

I think I might have gotten to the bottom of the 56v PSU too. I think someone might have picked up the 12v one and then inadvertently returned the 56v one. Cant say that for sure though but having that there to begin with could explain some configuration issues I had getting to the NVR via the network. I will probably configure the thing tonight if I get some spare time. We will see.

john mullins500_649530835067908

@user_612681119584296_612681119584296

Well that just sounds like you had two DHCP servers running. Turning the DHCP server setting off on the NVR should have fixed it. The NVR might have some proprietary protocol they send out for discovery with Reolink cameras which also trips a new DHCP lease for priority but that is just an assumption. You don't need a login to the camera for that and that's just normal layer 2 stuff. When it gets a new IP that wasn't reserved yeah your old system would lose its feed because it would be looking for the wrong address.

No security breach on Reolinks end as far as I'm concerned. This is a rouge DHCP server which is a separate issue if I'm understanding your statement correctly. That is a network security issue and where you'd need to start looking at DHCP snooping and the like for your switching or perhaps sticky port security for your VLANs. Not something I'd be super bothered with in a home system though.