Spy Alert! Reolink products have a security hole
Recently Reolink became my favorite brand but quickly lost that sentiment upon learning this.
I own a Reolink C1 Pro. It is a cool little camera with PTZ. I set up the camera with their Reolink app, scanned the QR code and was on my way. I was so happy I even set it up on my mom's phone.
What's the problem then?
Well when my mom is at work she will occasionally call me when she is bored. Instead of calling this one time she opened the Reolink app. Without knowing the difference she was amused that she could see me in the kitchen making food.
She was just happy that I was eating something.
Later that day she told me about it and, obviously to me, this set off alarm bells. My mom should not be able to see the camera unless she is on the network.
I quickly turned off the WiFi on my phone and opened the app to see it was showing me a feed of my kitchen. At that moment I felt betrayal.
I contacted them and asked how I can turn this off and they replied with the following.
Hello Moe Alam, If the UID is disabled, the camera will not connect to the AWS server, but the camera may still send some of the data to the address since it's written in the software, but they will have no communication. Thanks.
I was happy with the first half of the sentence then felt betrayal slip back in during the second half.
Skidank (a fellow community member in DIscord) pointed out that his camera's were "phoning home" previously. At the time it didn't sink in what he was telling everyone. I thought he meant that when you first scan your camera with the Reolink app it sends data that one time, I am ok with that enough to let it go.
I was very wrong
Skidank later posted a screenshort of his firewall's blocked requests. This is with the UID feature disabled.
Approximately every 10 seconds something is being sent to Reolink's AWS server. I contacted Reolink and asked them if there is a way to turn it off and have received no reply since showing them this information.
Here is a screenshot of the packet provided by Skidank.
Why is this a problem?
This is data going out into the world from your camera, not an inbound connection reading the data. Meaning you don't even need to port forward your camera for it to be accessed by a hacker.
For a moment, let's assume these cameras are unhackable. We don't know what they are sending or why they are sending it. Frankly there is no good reason for this to be happening at all. They could allow one unauthorized person to play on one of their computers and that could be the end of any privacy with Reolink products.
We simply have no idea what they are doing to protect us, if at all. It's best to not leave it in their hands to begin with.
Update 1
So I got a response a few hours after posting this article.
Hello Moe Alam, Sorry for getting back to you so late due to the weekend... The message sent by the camera aims to check whether there is an App which needs to receive push notification, currently the App information is saved to the AWS server, every camera needs to check on the AWS server, please do not worry about that, it is not related to any of your privacy at all. We will update a new firmware in the future to improve that. If there is still any problem, please feel free to let me know. Have a nice day!
Personally I still don't like the reasoning. There shouldn't be anything like this on by default.
If it is to be "default" it should be based on a profile that is asked for on setup. Like "Simple" and "DIY". Simple can have all the convenient features like Push Notifications and UID enabled at start. While DIY will be for those who just want a quality IP Camera without the extra bells and whistles.
I have, again, asked them if there is a way to turn it off. I hope for blue skies.
Update 2 : Good News!
Reolink has replied with arrows to a blue sky!
Hello Moe Alam, I'm afraid we cannot turn it off with the current version, sorry for that. but we will add it in the next firmware, if push is disabled on the camera, there will have no such data sent, we will keep you updated when the new firmware is already. Thanks for your kind understanding in advance.
I will be patiently waiting for that update! I love Reolink hardware and I'm overjoyed that I can continue to use them in confidence.
Update 3 : Bad and Good.
12/06/2018 5:37PM
So no word from Reolink for over a month. This very sad to say the least. Damian has mentioned a way for us to stop Reolink's unauthorized transfers until we get that fix. You can read about that here.
Update 4 : Sweet!
All good to go! just grab the updated firmware for your camera and you'll be bug free!