This is not a product review, nor is it an attack at Reolink products. This is a technology investigation and learning exercise.
These web cams get decent reviews from Amazon, and so I picked up one of each to test and was planning on adding them around my house to monitor my Carport and Shed. I wanted to understand how the remote software works, because without opening any ports in my firewall (and no, I do not have UPnP enabled), the ReoLink App on my iPhone connected flawlessly from the outside world. How did this work? Enter P2P.
P2P (Peer-to-Peer) is the technology used for torrenting movies, etc. In 2018, this is nothing new, but I need to understand it – and how these cameras use it better. So how secure is this for my security cams? Well, that seems to be a matter of opinion. After my preliminary findings I’m not trusting them all that much (yet).
I’ll concentrating on the Reolink RLC-410 (non-wireless, POE version) unit, but other models from Reolink and other manufacturers (Foscam, WyzeCam) are very similar in underlying technology. The setup was simple, and in a few minutes I was viewing the camera through the Reolink app on my iPhone; even remotely outside of my firewall.
What concerns me about the easy-setup? You simply just scan the QR code on the outside of the box with your iPhone and it sets up that camera in the app. Note to self: decode the QR Code. And because the camera is P2P; the iPhone app simply connects directly to the camera – all bypassing the firewall (because no, I do not have specific rules to block P2P technologies since it has other useful uses).
Disabling P2P in the camera – sort of
My concern with P2P on this cameras being active 24-7 is how do I know someone (or something) isn’t attacking my device – or peering in.
Turns out Reolink allows us to disable this feature; logging into the IP address of the camera in a browser, I found the setting “UID” (Unique Identifier) that I could uncheck. My app no longer connects (Yay!), so I know that P2P is off..or is it? A quick check for connections on the Mikrotik, and guess what? The camera still has an open UDP connection to China – and it appears that it is streaming the video there as there is about 700Kbps going out. Pretty easy to deal with; at the Mikrotik I can block all outgoing traffic from that camera so it cannot transfer data outside of my network – but do I really trust this device on my network?
Side-Bar – Using the QNAP
Before I noticed the camera was somewhat ignoring the fact that I had P2P disabled (well, UID in Reolink’s case); I setup the camera in my QNAP’s Surveillance Station. I haven’t tested everything; but the recording seemed to work just fine. I may bring this camera back online and look into this further. This could get me around the P2P concerns.
Camera Firmware – How Secure Is It?
In short, not very. I performed a check for firmware updates, and the camera reported that I am up to date. Great! What can I find with nmap?
PORT STATE SERVICE VERSION 80/tcp open http Boa HTTPd 0.94.13 | http-methods: |_ Supported Methods: GET HEAD POST |_http-server-header: Boa/0.94.13 |_http-title: Site doesn't have a title (text/html). 10002/tcp open documentum?
Reolink.com has a blog post about security, which seems pretty good. In this blog post, they even tell you to disable the remote viewing options. https://reolink.com/how-to-secure-your-wifi-enabled-home-camera/
An older, but still valid article and interesting comments: https://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-internet-of-things/
Wyze Cam specific : https://craigsmith.net/wyzecam-a-great-iot-device-but/
Reolink themselves have a lot of information on the technology; not entirely what I was looking for, but I still found it informative : https://reolink.com/p2p-ip-camera/
Some Final Thoughts
I’m still not convinced that this camera isn’t (our couldn’t) be used maliciously, or that it’s secure enough for me to use it without more investigation on my part into the P2P infrastructure being used. I plan to spend more time investigating this. What I might do is create a completely separate VLAN on my network that only the security cams are connected to, then monitor the traffic for a while and see if I can find anything more about it.
Another crazy idea I had was to rip the guts out of the camera, and see if I can connect it to a Raspberry Pi and run MotionEye (or roll my own mini cam system). It seems overkill and probably not worth it, but I always look at things as a learning exercise and in this case, I’d better trust the software and what it’s doing.
I found an article by Moe Adam who had the same concerns as myself. It’s worth a read and imo is much better written. Just in case that URL is lost in internet-land, I wanted to paste the responses he received from ReoLink:
Hello Moe Alam, If the UID is disabled, the camera will not connect to the AWS server, but the camera may still send some of the data to the address since it's written in the software, but they will have no communication. Thanks.
Hello Moe Alam, Sorry for getting back to you so late due to the weekend... The message sent by the camera aims to check whether there is an App which needs to receive push notification, currently the App information is saved to the AWS server, every camera needs to check on the AWS server, please do not worry about that, it is not related to any of your privacy at all. We will update a new firmware in the future to improve that. If there is still any problem, please feel free to let me know. Have a nice day!
Hello Moe Alam, I'm afraid we cannot turn it off with the current version, sorry for that. but we will add it in the next firmware, if push is disabled on the camera, there will have no such data sent, we will keep you updated when the new firmware is already. Thanks for your kind understanding in advance.