We must highlight that the scope of our assessment was limited to understanding how the audio/video stream was secured when traversing the internet. After we booted an NVR with UID enabled, we inspected the network traffic and immediately realized that the P2P feature was operating, as several UDP packets were exchanged with the host .Īfter we booted a Reolink camera NVR with UID enabled, we inspected the network traffic and knew the P2P feature was operating, as several UDP packets were exchanged with the host. As explained in the support section of the Reolink website, 3 the term “UID” is used instead of P2P in the device user interface.
#Reolink client on different wifi full#
Reolink CCTV Camera P2P Overviewīeginning with a full set of Reolink CCTV cameras and the matching NVR, we began investigating whether P2P functionality was present in first place. Second, we want to shed some light on the security level of P2P implementations and share our findings with the security community at large. First, we want to protect industrial operators who might be unwittingly running P2P functionality in cameras on their OT networks or at their facilities. Our research goals are typically twofold. This realization led us to investigate the situation further. By examining some devices we had in our lab, it became clear that the privacy and security implications of using a camera’s “P2P” feature are not clearly explained to users. What concerned us the most about Marrapese’s brilliant work was the sheer number of end users affected by the problems identified, and the lack of official documentation describing how P2P functionality works. By exploiting these vulnerabilities, an attacker is able to intercept the audio/video stream at will. In August 2020, security researcher Paul Marrapese 1 published extensive research 2 detailing security issues affecting the P2P implementations of some vendors. However, the typical scenario involves an internet-reachable node which acts as a mediator between the client that wants to access the audio/video stream, and the device that serves the data.
The technical details vary between vendors and third-party providers of this functionality. Rather than have a user explicitly configure a firewall to let a client reach the device with the video data, “P2P” establishes a connection through a set technique commonly defined by the umbrella term “hole punching”. The video data is available from the cameras or accessed through NVRs. Peer-to-Peer (P2P), in the context of security cameras, refers to functionality that allows a client to access audio/video streams transparently through the internet. Peer-to-Peer Functionality in IoT Security Cameras and Its Security Implications Nozomi Networks Labs’ discovery of Reolink P2P vulnerabilities highlights IoT security risks. Questions have arisen about the security of video surveillance cameras.
0 kommentar(er)
