Reolink Year in Review 2023
How ColorX Technology Turn Night into Day
Reolink App v4.43 Released
As I explained in this thread that is now being ignored... https://community.reolink.com/topic/4446/rln36-kills-all-my-camers-major-security-flaw-found?post_id=18907&_=1673150083648I purchased a new NVR system. All of my cameras were on a dedicated VLAN and have specific IP addresses plugged in. I purchased the NVR as a backup and hopefully a replacement for my power hungry Blueiris NVR. I powered the thing on and connected it to my dedicated VLAN. One by one every recent REOLINK branded camera went dark despite the device not having a user name and p[censored]word for any of them. All of them had a static DHCP address [censored]igned but yet this off the shelf NVR hijacked all of them and took them offline. I get that it makes the system easier to configure cameras for new people to but there has to be an option to turn this feature off. It has to use a workaround to take over the cameras. I keep replying to the original thread and I have stopped getting responses. If I can hook up a $200 NVR to a system with cameras having p[censored]words and they simply roll over and change their IPs then it is very easy to conclude people can exploit this issue. If you arnt going to fix it at least explain which port I need to block to prevent someone from sending a command and completely circumventing my configuration.
@user_612681119584296_612681119584296 When the Reolink NVR is switched on it will automatically scan the network for any Reolink camera using a proprietary protocol and if DHCP is on it will [censored]ign them an IP. Have you emailed Reolink support?
@joseph-chircop_497308027822318 It should not be able to take over the cameras. Reolink support has responded to my above thread. Will manually sitting the IP address on the camera fix this problem? Because if the device has an address from DHCP it should not change unless the DHCP server that sat it changes it. This is essentially imitating a man in the middle attack but the cameras are designed to let it happen. I just want an option to cut it off. The chances of a person exploiting this is low IE if they gain physical access to an ethernet cable they could just feed it 96v DC and probably force shut down most POE switches. But I really would like to eliminate it.
@user_612681119584296_612681119584296 How did you connect the NVR? You should have connected it to the router so that it will take the IP from the router.
@user_612681119584296_612681119584296 Reolink have a proprietary protocol for NVR auto [censored]igning IP's that the cameras prefer over DHCP.Having multiple IP [censored]igning servers on the same network will always cause issues.All devices configured for DHCP are prone to IP re[censored]ignment unless a layer 3 switch with effective configured security policy is in use.Your [censored]umptions that any client is safe from another DHCP server getting connected to a network are mislead.The non Reolink devices were unimpacted this time because the Reolink NVR does not run a DHCP server, it is proprietary.For mixed network connection allowing for direct network access to individual cameras aka allow byp[censored]ing the NVR:Static [censored]ign the cameras to prevent your issue. And only connect the NVR's WAN port to your network..For isolated camera only network where individual cameras are unreachable from data network aka only connect via NVR:Plug 1 (or more) of the 4 NVR LAN ports towards your camera only VLAN and let the NVR manage the cameras as Reolink suggest in the FAQ for the device.PS it appears Reolink have misleading WAN/LAN names in some docs I found. Although I do not have the 36 channel device myself the WAN will be the single port. The LAN will be the 4 ports.Regarding the p[censored]words I have always found recent Reolink NVR [censored]ume username of admin and a p[censored]word of blank.Many years ago I believe Reolink NVR's expected p[censored]words like admin/12345 and admin/123456.It will auto log in to cameras with admin/<blank>.The NVR does not change the camera p[censored]words from that, they remain as admin/<blank>.If cameras have had their p[censored]word changed, local on NVR will simply show invalid p[censored]word for the channel.What p[censored]word do you believe the NVR has change the cameras to? The NVR's p[censored]word?I have never seen that behaviour from my Reolink NVR's.
Hi there! Join the Commnunity to get all the latest news, tips and more!