RE: All my Reolink Cameras keep trying to access Oracle Servers

@crimp-on_62210811129
Hi there. I remember you asking this same question and after creating a response this silly forum blocked me from posting it (made me wait X amount of days and then other things came up here at home so I never finished it).

My AT&T internet service provides me with an app for my phone called "Smart Home Manager" that does various things. E.g. I can walk around the house and it gives a continuous graphic showing the WiFi strength. It can help me to assign a clear channel for the WiFi router. It allows me to restart the WiFi on the router (or the entire router) they installed for my service.

One of the things it does is monitor my local network and records to a log on the app on my phone different things such as:

• Whenever a new device is added (e.g., a guest shows up with a cell phone, etc.)
• Every once in a while it randomly checks on active devices in my network for any security issues
• While browsing the internet, if you access a website that contains a link to a phishing website, it will block that access and log a message labeled "Unsecured website blocked" showing what device was protected and when it happened.
• If anything on my network "attempted a connection to a suspicious, remote location" the "connection was blocked to prevent improper activity on (my) home network". This exact wording in the logged message includes the device (camera in this case), date and time of the event, and the Blocked IP (my most recent one was 144.24.21.151 - probably an Oracle server). The message is labeled as "Network Attack Blocked"

Whenever a URL or IP address is blocked, the logged message has a button in it that permits you to allow access to that point (i.e., it overrides the block)

I do not have to have this phone app running all the time so I assume that my account at AT&T continuously stores this logged information where the app can access it. I also do not know where the detection point is for these suspicious IP addresses and URLs. My guess is that they either have a special setup for my main router's firewall or they are catching them at the boundary to AT&T's servers, I'm not totally sure whether or not they are doing the filtering upstream of the router.

@joseph_1979
Thank you Joseph. I found that I had already asked this question 2 months ago and you had already answered it then but I missed it. So I assume that AWS is Amazon Web Services and (at least part of them) are hosted on Oracle servers.

Although I'm not very familiar with the P2P protocols and messages that are being used, it sounds as though the camera has to be registered with a client first, and then that client actually sets up things via the P2P servers using some kind of public key encryption techniques. Since only the client(s) that the camera is registered with can set this up, therein lies the access security. Does this sound correct?

Also, My AT&T account keeps blocking attempts by the cameras to access those servers and yet when I try to access a camera from outside my home network, it still seems to work. If the cameras need access to those P2P servers to set up the connection, why is setting up connections from outside my home network still possible when access to those servers is blocked?

Over the past year of using my collection of 7 Reolink cameras in my home, every once in a while I have noticed that each of them is occasionally trying to access outside IP addresses which my AT&T security support has blocked, sending me notifications when it happens. This has happened from all of my POE cameras on multiple occasions. 

Since I've tried to occasionally access my cameras from outside our home, I had assumed that it had something to do with how Reolink allows you to do this using UUIDs. I have also noted recently that it seems to happen when I attempt to view a camera remotely from outside my home.

However, this had happened so many times I started recording the IPs that the cameras were attempting to access. The list was about 7 or 8 different IP addresses and some cameras were trying to access the same IPs. After accumulating this list, I sat down and started "whois"ing each of them, assuming that it was some equipment owned by Reolink for their cloud support.

I was shocked to discover that ALL of them belonged to Oracle corporation! Furthermore, they were all associated with either Oracle in Phoenix Arizona or one other Corporate Oracle location (I think it was in New Jersey somewhere but I'd have to confirm that).

Now I'm not real familiar with how all these things work, but it almost looks like these Reolink networking products made in China have been set up to perform Denial Of Service or some other type of attack on some of Oracle's servers. Has anyone got any better ideas of what would explain why my cameras will suddenly start trying to access servers belonging to Oracle?

I've spent several hundreds of dollars purchasing all of this equipment and I am really disturbed that some third party may be using them for malicious purposes, all originating from my home network. I'm thinking now that I may need to return all of my Reolink hardware because this is just crazy!

Over the past year of using my collection of 7 Reolink cameras in my home, every once in a while I have noticed that each of them is occasionally trying to access outside IP addresses which my AT&T security support has blocked, sending me notifications when it happens. This has happened from all of my POE cameras on multiple occasions.

Since I've tried to occasionally access my cameras from outside our home, I had assumed that it had something to do with how Reolink allows you to do this using UUIDs. However, it had happened so many times I started recording the IPs that the cameras were attempting to access. The list was about 7 or 8 different IP addresses and some cameras were trying to access the same IPs. After accumulating this list, I sat down and started "whois"ing each of them, assuming that it was some equipment owned by Reolink for their cloud support.

I was shocked to discover that ALL of them belonged to Oracle corporation. Furthermore, they were all associated with either Oracle in Phoenix Arizona or one other Corporate Oracle location (I think it was in New Jersey somewhere but I'd have to confirm that). I no longer have those numbers (they're on a scrap of paper buried somewhere on my desk I think).

Now I'm not real familiar with how all these things work, but it almost looks like these networking products coming out of China have been set up to perform Denial Of Service on some of Oracle's servers. Has anyone got any better ideas of what would explain why my cameras will suddenly start trying to access servers belonging to Oracle. I've spent several hundreds of dollars purchasing all of this equipment and I am really disturbed that some third party may be able to use them for there own malicious purposes.

@sparker_825114123485429 So here it is nearly a year after the OP's question. Today, I have discovered the exact same thing with the same camera and the same firmware version numbers.

I discovered this after I found out that there had been 2 firmware updates to my doorbell camera that I didn't know about. Every time I would tell it to update to the latest firmware it would incorrectly tell me that my existing firmware is current It has forced me to manually download the firmware and install.

The configuration management for these products really seems kind of "iffy" to me.

I have tried to respond to your question but everything keeps getting rejected. What gives?

I have developed some security type concerns over several new cameras I've purchased.

1. After registering all of my cameras on the Reolink website for warranty, I began to wonder why the camera’s UID was needed for the registering when the Serial Number is already available. Isn’t the product-UID used to access the device from OUTSIDE of your home’s LAN? Then I realized that there doesn’t seem to be a way to edit and remove those UID numbers from the Reolink website. How can I remove these numbers off of the Reolink website where they are recorded?

2. After I had purchased a new Duo3 and connected it up to my home network, shortly after that my network security (provided by AT&T) blocked an attempt that it made to access an outside IP address at 129.146.110.167. Why in the world would my camera be trying to “phone home” (or whatever it was doing out there)? I have not set up any kind of cloud service for it to use. What is going on here?

If the normal doorbells (black) had been set up so that they could be configured in corridor mode (like the WHITE doorbells), it never would have been necessary to have a totally different color doorbell to tell them apart. With that implementation, the customer could choose either color regardless of their implementation.

We have a very narrow archway before getting to our front door. As a result, I had to buy a WHITE doorbell. A BLACK doorbell would have looked far better in our entrance-way, but unfortunately the wide field of view with the BLACK doorbells just results in a massive amount of the IR light being reflected back at the doorbell camera from the walls, ceiling and floor. Also, since the vertical field of view of the black doorbells is more limited, most people have the tops of their heads cut off in the view due to how close they have to stand to the camera on our doorstep.

So in order to get the portrait format that I need, I have to use a white doorbell which aesthetically doesn't look as good. You should add the corridor mode to ALL doorbells regardless of their color.

BTW, the vertical format of the white doorbells provide good view of the floor in front of our door to reveal packages that the black doorbell doesn't provide.

@user_840683896512750_840683896512750
Have you also noticed how even when you tighten the mounting screw into the camera it takes very little torque between them (i.e. a good gust wind) and the joint pops loose! It sort of looks like there were supposed to be little nubs between the camera and the mount bracket that would prevent this from happening. The screw that is used there appears to be a standard camera mount screw (i.e., like used on tripods). In all of those applications though, there is always a thin ribbed piece of rubber to prevent the joint from turning and coming loose.

I have one of these but I'm afraid I will have to put a totally separate hole in the soffit for the cables to go through well behind the camera instead of through its mount. I also suspect that I will have to create some kind of thin rubber gasket to go between the camera and the knuckle where the screw goes through. If not that, I may have to just glue them together before putting in the screw (although I'm sure that will invalidate any warranty that I have).

Also if you don't get the mount in the exact right position, the mount will not allow you to correct any error in the tilt horizon of the camera's view. E.g., if the soffit that you are mounting to is sloped, the horizontal center of the image will be tilted as well and can not be fixed. If you have the camera angled down 45 degrees, you get a similar problem.