![]() ![]() Communication Between the P2P client and the Reolink P2P Server The first three packets of the UDP payload are revealed using a small script and the hardcoded key identified by our team.Īccessing the cleartext protocol was the first building block that allowed us to develop an understanding of the operations performed by the P2P server. What follows is the output obtained with the first three packets: nvr:46469 -> :9999 The most obvious next step was crafting a small script that tried to reveal the UDP payload with the key we had just identified. From there we found the code that performs the obfuscation using a hardcoded key. A software client, either a mobile or a desktop application, accesses the audio/video stream from the internet.īy analyzing the main NVR binary with the disassembler, we located the functions responsible for network I/O.A “Reolink P2P server”, a server managed by the vendor, acts as a middleman allowing client and NVR to establish a connection.A NVR is connected to security cameras through the same local network, and represents the P2P server that generates the audio/video stream.The setup we used in our analysis mirrors the one described by the vendor in the description of the P2P architecture: The traffic that reached Reolink servers was always created by Reolink software. We did not perform any activity against Reolink servers or submit bogus traffic of any kind. We exclusively recorded the traffic originating from Reolink devices in our lab, and analyzed how the devices and clients created and reproduced the streams. We must highlight that the scope of our assessment was limited to understanding how the audio/video stream was secured when traversing the internet. After we booted an NVR with UID enabled, we inspected the network traffic and immediately realized that the P2P feature was operating, as several UDP packets were exchanged with the host .Īfter we booted a Reolink camera NVR with UID enabled, we inspected the network traffic and knew the P2P feature was operating, as several UDP packets were exchanged with the host. As explained in the support section of the Reolink website, 3 the term “UID” is used instead of P2P in the device user interface. Reolink CCTV Camera P2P Overviewīeginning with a full set of Reolink CCTV cameras and the matching NVR, we began investigating whether P2P functionality was present in first place. Second, we want to shed some light on the security level of P2P implementations and share our findings with the security community at large. First, we want to protect industrial operators who might be unwittingly running P2P functionality in cameras on their OT networks or at their facilities. Our research goals are typically twofold. This realization led us to investigate the situation further. By examining some devices we had in our lab, it became clear that the privacy and security implications of using a camera’s “P2P” feature are not clearly explained to users. What concerned us the most about Marrapese’s brilliant work was the sheer number of end users affected by the problems identified, and the lack of official documentation describing how P2P functionality works. By exploiting these vulnerabilities, an attacker is able to intercept the audio/video stream at will. In August 2020, security researcher Paul Marrapese 1 published extensive research 2 detailing security issues affecting the P2P implementations of some vendors. ![]() However, the typical scenario involves an internet-reachable node which acts as a mediator between the client that wants to access the audio/video stream, and the device that serves the data. The technical details vary between vendors and third-party providers of this functionality. Rather than have a user explicitly configure a firewall to let a client reach the device with the video data, “P2P” establishes a connection through a set technique commonly defined by the umbrella term “hole punching”. The video data is available from the cameras or accessed through NVRs. Peer-to-Peer (P2P), in the context of security cameras, refers to functionality that allows a client to access audio/video streams transparently through the internet. Peer-to-Peer Functionality in IoT Security Cameras and Its Security Implications Nozomi Networks Labs’ discovery of Reolink P2P vulnerabilities highlights IoT security risks. Questions have arisen about the security of video surveillance cameras. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |