How does the Reolink UID actually WORK?

justin_87388068069621

Hello,
Doing some searching, I have the identical concern this gentlemen does:
https://thedocsworld.net/reolink-security-concern/

Prior to finding this article, I realized it's indeed the UID allowing external access to my system. By disabling the UID, it caused the app to no longer function, which I then manually set up via the IP and TCP port *I* configured in my router's port forwarding .

What I can't seem to find is HOW the UID function actually works? How is my NVR establishing external, two-way communication with my iPhone via the UID? I had not opened/forwarded any ports and it just 'worked.' Is the NVR unknowingly communicating (sending video) via Reolink's cloud? What is the 'system' that the UID is actually UNIQUE on??

Think about it: If we HAVE security cameras in the first place, we ARE a security-conscious bunch. I NEED to know EXACTLY how this works for me to feel comfortable with this system. And SOON.

Thank you,
Justin

Crimp On_62210811129

My understanding is "yes, the Reolink devices (cameras, NVR) open IP connections to the Reolink cloud servers." Once a connection is opened "outbound", it is open for return traffic from that IP. Like, when you connect to a web site, that web site can send packets back to you. The unique user name and pa*sword are used to look up the connection to a particular UID that is a*sociated with that customer. Port forwarding allows anyone, anywhere to attempt to connect to your cameras. The only thing stopping them is knowing the user name/pa*sword for the camera. (Just like they need to know the user name/pa*sword for the Reolink app.)

I would email the question to "support@reolink.com", rather than asking Community members. We users have opinions, whereas the support staff are usually pretty knowledgeable.

People who are "totally paranoid" about security do not register their cameras using UID, and probably do not set up port forwarding. They either do not allow access from outside their LAN, or they set up VPN's to tunnel into their network.

Carl_31331526639

Hi Justin, about the remote accessing on Reolink products. We provide the UID (based on P2P) for users to make it easy to use. You may just connect the cameras/NVRs to the Internet and log in them via the UID with your username/pa*sword. For the P2P, please refer to here. And the UID uses the random UDP ports on the network. If you don't need that, you may just disable it and set the port forwarding by yourself. But we hope to provide users with a convenient way to use the cameras/NVRs, users needn't know how it works or worry about the security issue. We used the private protocol and also has the encryption from the AWS to protect your data safety. Also, our server won't save any private data from users. If you still have any questions, feel free to contact us at https://support.reolink.com/hc/en-us/requests/new. Have a nice day!

melroy

Sorry it's an old topic, but still relevant today and unanswered. Also high in the search results.

Reolink should indeed do a better job explaining their "UID" mechanism / P2P system. Which is actually contacting the Amazon cloud. Using a technique called "hole punching" through the firewall, without the users knowing.

This is very dangerous, so you should ideally put your camera within a separate VLAN. Reolink, please just be more transparent about your products.

Another option I found is to basically disable P2P by unchecking "Enable UID" within: Settings-> Network Settings -> Advanced -> Enable UID.

After more searching, I finally found this article from Reolink: https://reolink.com/blog/p2p-ip-camera/

@Reolink If I disabled UID feature, can I still enable port forwarding manually when needed, giving back control to the users? Which port should I then forward manually to keep using your mobile app?

Hint; search on Google: "Peer-to-Peer Functionality in IoT Security Cameras and Its Security Implications"

Crimp On_62210811129

@melroy I am not confident that Reolink software engineers monitor the user forums. My guess is that the answer is "can't be done". The mobile app works the way it does, and no other way.

As the article referenced explains, a device opening a port to a remote server creates a link that the remote server can use to communicate with the device.
My impression is that when a customer opens the Reolink smartphone app, the app connects to the cloud and uses the customer login credentials to scan the database for UIDs registered to that user who have open links to the server. If the connection is not already open, then the server has no idea which IP address any particular device may be related to.
Only cameras that have connected to the server with their UID can be opened with the app.

Opening a port on a customer router for remote access (i.e. port forwarding), does not restrict access to any particular IP address on the internet. For example, the Reolink RLC cameras include a web server that provides a way to view the camera video. If a user forwarded an external port on their router to port 80 (or 443) on a camera on the local LAN, then they could access that camera remotely. (provided that they can supply the correct user name/pa*sword.) This does not scale well, because every camera would need a separate external port linked to their internal IP address.

joseph_1979

@melroy UID is like your ID number which is a unique identifier pointing to a number of profiles in various inst*tutions. If you go to the hospital they will ask you for the ID and by entering this ID they will get all your health information.

When you power up your camera, it does some DNS queries to get the IP addresses (A record) of the P2P servers (provided by Amazon and Azure) and registers with the P2P servers using its UID (we are a*suming here that UID is enabled). At regular intervals the camera sends packets to the P2P servers which shall include the UID (encrypted). The application on the P2P server decrypts the packet and extracts the UID. The application extracts the private IP and Public IP (BroadBand IP:Port) of the packet and populates them in the respective record a*sociated with UID. If the camera changes IP then the record pointed out by the UID is updated accordingly. The credentials you created are not forwarded to the P2P servers. Well if you can emulate the P2P protocol and know the encryption method/phrase then you would be able to get the private and public IP of a particular UID. But so far there have been no such breaches and still you need the credentials to get access to the camera. Therefore it is imperative to follow the policies a*sociated with pa*swords such as create a strong pa*sword and change it at regular intervals. At this point we see that there is a P2P socket between the camera and the P2P server. For your perusal the camera sends the alerts to the domain pushx.reolink.com. The application server will then forward the push message request to FCM (Android) or APNS (IoS) which shall push the message to your smartphone. Token provided by FCM to your smartphone on registration is forwarded to Reolink pushx application server. This token is included in the request made by this application server to the FCM to push the alert on your smartphone.

Now let's take a look from the client side. When you run the Reolink client, it will send a DNS query to 16 P2P servers (p2p1, p2p3, etc) and the response is the A record containing the IP address of the P2P server. Any P2P server which is not yet a*signed will get the A record with the loop IP (127.0.0.1). For each working P2P server, the client requests the Public IP (the Relay P2P server with which the camera is connected) and Private IPs of the camera using destination port 9999. So if we have 8 working P2P servers and 8 cameras, then the client will send 64 requests over UDP. When the client receives the replies, it will first start to open communication with each camera using the private IP over TCP. Here the credentials are included in the request. If the camera replies then communication continues with the media being sent over UDP. Note that at this point the communication is directly between the client and the camera. At the same time the client also sends the request using the public IP. This public IP is not the public IP on your BB router but rather the IP of the AWS/Azure Relay P2P server to which the camera has been registered. But if communication using the private IP fails then the client establishes connectivity with this Relay P2P server. Recall that the camera has already a p2p socket with thus server. Communication is over UDP. In my opinion, this has been adopted because a number of ISPs restrict users to connect directly to other devices. Technically this is not P2P as there is the Relay server in the middle. So in this case the encrypted packets flow from the client to the Relay server and from the Relay server to the camera and vice versa. In this case the encrypted credentials are sent to the camera through this Relay P2P server. And here comes a question....if there are 1000 12Mbps@25fps and using high def H.265 and the cameras are being accessed remotely using the public IP, then on the P2P relay servers we need a bandwidth of 17Gbps .......... which is really ma*sive.....This explains the delay between viewing using private/local IP (cameras and client on same network) and public IP (other). And I do not think that neither Amazon nor Azure will give unlimited bandwidth.

Now the question being posed is 'Do we trust this setup?' Do you trust pa*sing the bank information when buying over the internet? Do you trust ATM machines which are connected over BB? Do you trust your voice calls over 3G (A5/2 encryption)? etc etc.............. so you have the answer.

No matter how much security you have...there is always a way to get through. Even Alcatraz was a prison where nobody can escape...but they escaped. Nevertheless we need to do our best to protect and be secured.

Apologise for the lengthy answer...but this is high level...can go to the low level...ha ha these are rather simple protocols with the most complicated being within the Telco NEs.

user_711147997069442_711147997069442

This post is deleted!