Reolink push notifications... but without port forwarding, wft?

Ok, so I looked at various reolink documentation but to their credit I don’t think they are trying to overload customers with info, so they do not explain any of the magic going on behind the smoke and mirrors- but even when I’m not VPN’d into my network but away from home, my cell phone still gets reolink IP camera push notifications for motion alerts. The reolink cameras are on a PoE switch currently on my LAN (until I give it it’s own port on pfsense). I do not have port forwarding setup for anything on the LAN (now that I think about it, I should verify this, maybe a relect from hass.io)-- how the heck am I getting push notifications?

Only thing I can think of is I’m derping on some port forwarding settings I have on the LAN (not home yet to check), or during the app install, client install on a windows machine and setting up the IP camera’s, there is some level of server reolink has built in, so there is some traffic going to a server of theirs to then relay the push to the app on my phone.

Setup context-
Not using their DVR/NVR, just four PoE camera’s, a Windows VM with the client running and their app on my phone, all on LAN. I’m doing things the hard way cause I’m a knuckle head (their NVR would have been really nice for full functionanilty) and looking to find some other way of hosting the videos to be accessed from my phone without being at their NVR’s software’s security mercy.

Riolink cameras phone home through your network then the message gets rerouted to your phone via the account you setup with riolink. No port forwarding required since its HTTP traffic. I have a riolink camera amoung hikvision cameras and I restrict all wan traffic to and from them. I access my cameras through Blue iris web server or through VPN.

Im too paranoid that there will be a rogue camera that will be hacked so I block all wan connections and put them on a different subnet so I have a small layer of segmentation.

I have a few friends from work that have the Chinese hikvisions and port forward each camera. Lately they have been getting reset due to a vulnerability in the hikvision firmwares that lets anyone in if they know the not so secrete knock.

3 Likes

That right there- why I didn’t buy the A-Z package deal of cameras plus NVR. I was seriously looking into blue iris but the reolink software has been impressive. I hope to shore up the shortcomings (not being able to view recorded video via app) by spinning up other things like a nextcloud setup. My biggest paranoia is even if mapping ports, segmenting the network etc, my IP gets port scanned a few times a week and the various bots- I imagine if setup correctly- can put ‘two and two’ together and figure out what system is behind that port, has the not so secret knock setup, and can now use my system as a ddos member (most likely), put my IP on blacklists and the less likely but also scary digging into the actual saved videos.

Thanks for the info, not sure what I would have been able to find myself dusting off the rust that is my use of pcap captures. But what a good exercise that would be- need to stop avoiding the intimidation of using wireshark. Heck maybe not even that surgical, maybe pfsense logs plus googling known reolink server IPs… Hmm, hold my beer…

@gigabit did you not what port the reolinks were using? I have ntop spun up on my pfSense and it looks like reolinks use port 12812 out (* correction, seems each camera uses a different port- makes sense I guess), and reolink is using Amazon to host the server.

Just stick them on a segmented vlan with no wan to-from access?

I kinda like getting push notifications… if reolink’s services can’t be trusted (bad security, too easy to recruit into botnet etc) I guess I will have to segment, firewall, break down and get blue iris.

You could just allow WAN to only the reolink site.

1 Like

I suppose that would mitigate using the cameras to pivot into my network, but they could still be used for a botnet- that seems to be the largest market IMO- my poor little raspi wordpress server joined a botnet, I’ve always been concerned after that.

Just because its accessing that port now I dont know what other ports it might try to access. For me it was more secure to segment and block all wan traffic at the firewall.

Blue iris runs and sends me an email when motion is detected. If I want to investigate further I will vpn in and live view. If I want to playback footage Ill use Blue iris.

It works very well and I know it will have to take a openvpn vulnerability to access my network.

1 Like

I should have gotten that synology from a buddy- has an IP camera feature that looks really good and fully under one’s control. I’m looking into XPEnology so maybe I can make my own synology box with hardware I have laying around.

For now I’m not too uncomfortable letting the reolinks push notifications to me, I’m keeping an eye on things with Splunk and ntopng. I’m using opnevpn and google’s smb app so if there is video I want to review, I VPN in and get into my cif share on the freenas I have the recordings going into.

No it wont? If you allow allow that device to hit a specific target on WAN then it can’t be used in a botnet. The worst it could do is send too many REST hits to reolink. They probably have a limit on the amount of hits from devices to their API, so if it ever does this behavior then they’ll let you know.

Derp I miss-read your reply. Sounds like a good plan.