Connect with us

Home Security

New Reolink P2P Vulnerabilities Show IoT Security Camera Risks

Published

on

Nozomi Networks Labs has discovered vulnerabilities in the Peer-to-Peer (P2P) feature of a commonly used line of security cameras – Reolink. Our research has resulted in a coordinated disclosure with ICS-CERT, which published advisory ICSA-21-019-02: Reolink P2P Cameras today.

Reolink’s cameras and NVRs (Network Video Recorders) are typically used by homeowners and small businesses, however they are relevant for critical infrastructure and industrial operators in two ways.

One, they may be in use at your facilities, including on your OT networks. Two, P2P is used by several camera vendors and, if your CCTV solution has this feature, it’s important to understand the potential risks.

This blog describes the journey we took to find these IoT security vulnerabilities, and presents technical details that are relevant for security teams and researchers.

Reolink-P2P-Vulnerabilities-BLOG

Questions have arisen about the security of video surveillance cameras. Nozomi Networks Labs’ discovery of Reolink P2P vulnerabilities highlights IoT security risks.

Peer-to-Peer Functionality in IoT Security Cameras and Its Security Implications

Peer-to-Peer (P2P), in the context of security cameras, refers to functionality that allows a client to access audio/video streams transparently through the internet. The video data is available from the cameras or accessed through NVRs.

Rather than have a user explicitly configure a firewall to let a client reach the device with the video data, “P2P” establishes a connection through a set technique commonly defined by the umbrella term “hole punching”. The technical details vary between vendors and third-party providers of this functionality. However, the typical scenario involves an internet-reachable node which acts as a mediator between the client that wants to access the audio/video stream, and the device that serves the data.

In August 2020, security researcher Paul Marrapese1 published extensive research2 detailing security issues affecting the P2P implementations of some vendors. By exploiting these vulnerabilities, an attacker is able to intercept the audio/video stream at will.

What concerned us the most about Marrapese’s brilliant work was the sheer number of end users affected by the problems identified, and the lack of official documentation describing how P2P functionality works. By examining some devices we had in our lab, it became clear that the privacy and security implications of using a camera’s “P2P” feature are not clearly explained to users.

This realization led us to investigate the situation further. Our research goals are typically twofold. First, we want to protect industrial operators who might be unwittingly running P2P functionality in cameras on their OT networks or at their facilities. Second, we want to shed some light on the security level of P2P implementations and share our findings with the security community at large.

Reolink CCTV Camera P2P Overview

Beginning with a full set of Reolink CCTV cameras and the matching NVR, we began investigating whether P2P functionality was present in first place. As explained in the support section of the Reolink website,3 the term “UID” is used instead of P2P in the device user interface. After we booted an NVR with UID enabled, we inspected the network traffic and immediately realized that the P2P feature was operating, as several UDP packets were exchanged with the host p2p.reolink.com.

After we booted a Reolink camera NVR with UID enabled, we inspected the network traffic and knew the P2P feature was operating, as several UDP packets were exchanged with the host p2p.reolink.com.

We must highlight that the scope of our assessment was limited to understanding how the audio/video stream was secured when traversing the internet. We exclusively recorded the traffic originating from Reolink devices in our lab, and analyzed how the devices and clients created and reproduced the streams. We did not perform any activity against Reolink servers or submit bogus traffic of any kind. The traffic that reached Reolink servers was always created by Reolink software.

The setup we used in our analysis mirrors the one described by the vendor in the description of the P2P architecture:

  • A NVR is connected to security cameras through the same local network, and represents the P2P server that generates the audio/video stream.
  • A “Reolink P2P server”, a server managed by the vendor, acts as a middleman allowing client and NVR to establish a connection.
  • A software client, either a mobile or a desktop application, accesses the audio/video stream from the internet.

The Reolink P2P architecture and security set-up, as described by the vendor.
Click to enlarge.

Before launching our investigation, we conducted background research to understand whether research on Reolink’s P2P implementation had already been done. We came across George Hilliard’s blog,4 in which he documents the proprietary protocol that Reolink devices and clients use within a local network. This provided an interesting place to begin.

By analyzing the local traffic with the dissector provided, we could easily navigate through the TCP streams. These carried the “signaling” portion of the proprietary protocol and the audio/video component. In particular, we noticed that signaling packets were obfuscated with a trivial 8 byte key. Armed with this knowledge, we turned our attention to the P2P traffic.

Reolink local traffic analyzed with Neolink dissector.
Click to enlarge.

Communication between NVR and Reolink P2P server

We first exclusively analyzed the traffic exchanged between our NVR and the Reolink P2P server and immediately noticed some patterns in the UDP packets exchanged. This observation led us to think that an obfuscation strategy, like the one used in the local network protocol, could be employed for the traffic traversing the internet. By loading the NVR binary in charge of creating these packets in the disassembler, we located the functions responsible for network I/O. From there we found the code that performs the obfuscation using a hardcoded key.

By analyzing the main NVR binary with the disassembler, we located the functions responsible for network I/O. From there we found the code that performs the obfuscation using a hardcoded key.
Click to enlarge.

The most obvious next step was crafting a small script that tried to reveal the UDP payload with the key we had just identified. What follows is the output obtained with the first three packets:

[UDP] nvr:46469 -> p2p.reolink.com:9999
<P2P>
<D2M_Q>
<uid>9527000*************</uid>
<ver>2</ver>
<r>3<r>
</D2M_Q>
</P2P>
-----
[UDP] p2p.reolink.com:9999 -> nvr:46469
<P2P>
<M2D_Q_R>
<reg>
<ip>35.180.210.74</ip>
<port>58200</port>
</reg>
<log>
<ip>35.180.210.74</ip>
<port>57850</port></log>
<timer/>
<retry/>
<rsp>0</rsp>
<token>1598321923</token>
<ac>1130209852</ac>
</M2D_Q_R>
</P2P>
-----
[UDP] nvr:46469 -> p2p.reolink.com:58200
<P2P>
<D2R_R>
<uid>9527000*************</uid>
<dev>
<ip>192.168.0.250</ip>
<port>46469</port>
</dev>
<token>1598321923</token>
<r>3</r>
</D2R_R>
</P2P>

The first three packets of the UDP payload are revealed using a small script and the hardcoded key identified by our team.

Accessing the cleartext protocol was the first building block that allowed us to develop an understanding of the operations performed by the P2P server.

Communication Between the P2P client and the Reolink P2P Server

Once we established that we could access the cleartext communications between the NVR and the Reolink P2P server, it was time to bring a P2P client into the picture. There are several client applications available to choose from, both mobile and desktop. For the sake of the analysis, there’s no practical difference since they all use the same protocol.

We proceeded with the same methodology. By inspecting the deobfuscated communication between the client and Reolink server, we could extrapolate several things:

  • The Reolink server gives the IP address / UDP port pair of the NVR server (<dmap> tag) to the client.
  • The Reolink server also sends a sid value that is later used by the client to authenticate the NVR.
  • The client acknowledges the IP address / UDP port of choice for the relay functionality to the Reolink server (<relay> tag).  (Discussed more later in this article.)

[UDP] p2p_client:23878 -> p2p.reolink.com:58200
<P2P>
<C2R_C>
<uid>9527000*************</uid>
<cli>
<ip>172.20.10.2</ip>
<port>23878</port>
</cli>
<relay>
<ip>35.180.210.74</ip>
<port>58100</port>
</relay>
<cid>878000</cid>
<debug>251658240</debug>
<family>4</family>
<p>MAC</p>
<r>3</r>
</C2R_C>
</P2P>
-----
[UDP] p2p.reolink.com:58200 -> p2p_client:23878
<P2P>
<R2C_T>
<dev>
<ip>192.168.0.250</ip>
<port>48428</port>
</dev>
<dmap>
<ip>62.23.60.33</ip>
<port>48428</port>
</dmap>
<sid>1050376851</sid>
<cid>878000</cid>
<rsp>0</rsp>
</R2C_T>
</P2P>

The code above shows the Reolink server and the client communicating IP address and UDP port pair information, as well as the value used to authenticate with the NVR.

Communication Between the NVR and the P2P Client

With all the pieces in place, we could finally understand how the P2P client communicates with the NVR. The precondition for this to happen is obviously that the NVR has enrolled itself with the Reolink server, otherwise the client would promptly be informed about missing source audio/video data.

To our surprise, even the communication between the NVR and the P2P client was lacking any sort of secure key exchange. Rather, the same hardcoded key that we used thus far to reveal the network traffic was still effective. We could then analyze how the P2P client authenticates itself to the NVR, using the sid value that was given by the Reolink server.

[UDP] p2p_client:23878 -> nvr:48428
<P2P>
<C2D_T>
<sid>1050376851</sid>
<conn>map</conn>
<cid>878000</cid>
<mtu>1350</mtu>
</C2D_T>
</P2P>
-----
[UDP] nvr:48428 -> p2p_client:23878
<P2P>
<D2C_T>
<sid>1050376851</sid>
<conn>map</conn>
<cid>878000</cid>
<did>848</did>
</D2C_T>
</P2P>

The P2P client authenticates itself to the NVR using the same sid value that was given by the Reolink server.

Before replying to the P2P client, the NVR receives a notification of the upcoming client connection from the Reolink server through the cmap tag, which operates similarly to the dmap one that presented earlier. The P2P client is now authenticated with the NVR, and can start requesting audio/video streams.

CVE-2020-25169 – P2P video/audio lack of encryption and stream reconstruction

CWE-319: Cleartext Transmission of Sensitive Information reconstruction

We requested audio/video streams from the client to generate traffic for later analysis. The first noticeable variation for the packets carrying audio/video data, is the specific header magic, namely 0x2a87cf10.

The other obvious element that stood out was the presence of some cleartext “keywords” such as 01dcH264. This suggested that a secure encryption of the payload might be missing altogether. We proceeded to determine the remaining header fields to properly reconstruct the stream as seen by the client. Once finished, we could reproduce the audio/video content in cleartext.

The consequence of this design choice is that anybody who can access client/NVR traffic as it traverses the internet can access its audio/video payload—with no confidentiality for the parties involved.

The audio/video stream, as seen from the internet.

In some situations, the connection between a client and the NVR is not stable enough. In these cases, the Reolink P2P implementation also allows for the P2P server to act as a relay node, effectively behaving as a man-in-the-middle.

 Coupling the lack of an end-to-end encryption with the relay feature, de facto exposes the cleartext audio/video stream to the vendor.

CVE-2020-25173 – P2P protocol deobfuscation and credentials leak

 CWE-321: Use of Hard-Coded Cryptographic Key

While investigating the protocol exchange between the Reolink P2P server and the NVR, we noticed another security issue. The vendor’s server also pulls the list of local users registered with the NVR, together with their corresponding cleartext passwords.

We struggle to understand the reason why the vendor wants to access this sort of information. The immediate consequence of this design is that an actor who can access this network traffic can fetch the local users’ credentials. Once they deobfuscate the protocol, as explained earlier, they can login into the NVR with a regular Reolink client.

<xml version="1.0" encoding="UTF-8">
<body>
<AbilitySuppport version="1.1">
<userName></userName>
<system>1</system>
<streaming>1</streaming>
<record>1</record>
<network>1</network>
<PTZ>1</PTZ>
<IO>0</IO>
<alarm>1</alarm>
<image>1</image>
<video>1</video>
<audio>1</audio>
<security>1</security>
<replay>1</replay>
<disk>1</disk>
</AbilitySuppport>
<UserList version="1.1">
<User>
<userId>0</userId>
<userName>admin</userName>
<password>aaaaaa</password>
<userLevel>1</userLevel>
<loginState>1</loginState>
<userSetState>none</userSetState>
</User>
</UserList>
</body>
</xml>

NVR cleartext username/passwords are sent to Reolink servers.

Vendor Mitigation

Reolink has released a new version of the firmware, which according to them, mitigates the issues discussed in this post. Nevertheless, we suggest you carefully evaluate the potential risks involved with the P2P functionality before enabling it. We also suggest you consider alternatives such as VPNs, which provide stronger security, though more setup effort.

Reolink P2P Vulnerabilities Highlight IoT Security Camera Risks

IoT security cameras are extensively used by industry and the critical infrastructure sector. According to research firm Markets and Markets, the global video surveillance market size is expected to grow from US $45.5 billion in 2020 to US $74.6 billion by 2025. The infrastructure sector—including transportation, city surveillance, public places, and utilities, is expected to grow at the highest CAGR during that period.

Given their prevalence and growing use, it’s important to understand the security risks of IoT cameras. We urge you to take measures to prevent unauthorized access to audio/video streams and CCTV user credentials. Failure to do so could result in privacy, confidentiality, and business harms.

RESEARCH REPORT

OT/IoT Security Report

Rising IoT Botnets and Shifting Ransomware Escalate Enterprise Risk
2020 1H

Find out about:

  • The OT/IoT threat landscape:
    • IoT malware
    • Ransomware
    • COVID-19-themed malware
  • The tactics and techniques of the most important threat actors
  • The top 2020 ICS vulnerabilities and their ongoing impact on risk
  • Recommendations for securing OT/IoT networks

The post New Reolink P2P Vulnerabilities Show IoT Security Camera Risks appeared first on Nozomi Networks.

This content was originally published here.

Home Security

Precision agriculture using AI and IoT to usher in the next revolution in food security

Published

on

Micromanagement of every aspect of the field being used for your crops is called precision agriculture. It includes mapping of the field in terms of disparities within the field or with other fields around it, the sun light variation across the year, wind patterns, rain predictions and other seasonal effects. To do that, feed from weather stations, Remote sensing equipment, GIS and GPS may be used.

Another key feature of precision farming is having a trained software module on the specific crop being planned in that field. This software module has an understanding about the growth patterns of that crop, possible diseases that are related to that crop, prescriptions of specific fertilizer or pesticides depending upon the disease pattern, and prediction of disease depending upon the growth of leaves or size or colour of the plant.

It uses feed sensors, weight sensors, soil sensors, temperature sensors, intensity sensors and multiple types of cameras. All these sensors may be deployed on a machine. This machine can be a low flying drone or a small robot moving through the field. Based on the crop and the size of the plants, the robot height and size can be manoeuvred. This robot or drone will have multiple compartments full of different ingredients required for the plants. One box may contain water, another may have pesticides, another may have fertilizer and so on. Based on the real feedback of different sensors, the software module will process that information according to the trained AI model installed on that robot or drone. Depending upon the necessary trigger, instructions will follow, and the robot will discharge specific amount of pesticides or fertilizer or water etc.

This whole mechanism may look like a complex process for small and medium level farmers, but that is not the case. Just like farmers currently hire big machines for sowing and cutting the crops, they will be able to hire different kinds of robots for their specific crops. Initially the cost will be high, but eventually, when this becomes a standard practice, the cost will come down with volume and scale.

The end user will not be required to understand or learn about these complex systems. They will just employ these systems like we use washing machines without understanding the mechanical engineering behind their working. The farmer will only need to follow some simple and clear instructions and press a few buttons.

While its execution will be simple, the advantages of precision farming are many and varied. End-to-end efficiency and decrease in wastage/loss of the yield due to disease etc will lead to an increase in crop-yield. Another advantage is the huge saving in inputs: currently, farmers waste a lot of water, pesticides, and fertilizers because these are thrown all over the field, a significant portion of which is not used by the plants. With robots in the field, only the required resources will be given near the roots of the plants, which will save a lot of resources. It will also result in a lot of data inputs across the fields, regions, and geographies, which will result in better policy decision regarding which crops to be promoted, pricing of the output, availability of markets for the produce, value enhancement products in the food chain etc.

Many people may be worried about the impact of such technologies on the job market for agriculture workers. It will result in net additional jobs in this sector. Many hands will be required for maintenance, operations, storage, production, marketing of these variety of robots and drones. The only challenge is that existing agriculture workers will be required to undergo training to work on these modern machines, which will require huge efforts on the part of the trainers as well as the farmers. So, in conclusion precision farming is going to be the next big thing in the domain of agriculture which will have significant impact on economy, food reliance and modern society.



Linkedin
{{#PIU}}{{/PIU}}
{{^PIU}}{{/PIU}}

{{A_D_N}}

{{C_D}}

{{{short}}}
{{#more}}
Read More
{{/more}}

{{/totalcount}}
{{^totalcount}}

Start a Conversation

This content was originally published here.

Continue Reading

Home Security

IoT Security In The Spotlight, As Research Highlights Alexa Security Flaws | Information Security Buzz

Published

on

Last week, IoT security was in the spotlight again as researchers warned that Amazon’s Alexa is vulnerable to malicious third-party apps, or “skills”, that could leave owners at risk of a wide range of cyberattacks.

Researchers analyzed 90,194 unique skills from Amazon’s skill stores across seven countries and found widespread security issues that could lead to phishing attacks or the ability to trick Alexa users into revealing sensitive information.

For instance, developers can register skills that fraudulently use well-known company names, and leverage these fake brand names to send out phishing emails that link to the skill’s Amazon store webpage. Attackers can also make code changes after their skills have been approved by Amazon, opening the door for various malicious configurations.

VP of IoT
Best-practices for IoT device security include strong authentication and secure software updates.

Continued innovation in the Internet of Things technology has propelled us into the Fourth Industrial Revolution and is undoubtedly valuable for consumers and businesses alike.

However, as this research into Alexa’s vulnerabilities has shown, we can’t be oblivious to the security risks that go hand-in-hand with introducing such a large number of devices into the ecosystem. Left unchecked, this presents a huge security risk. While there are many potential threats to IoT devices, a common

…..

Continued innovation in the Internet of Things technology has propelled us into the Fourth Industrial Revolution and is undoubtedly valuable for consumers and businesses alike.

However, as this research into Alexa’s vulnerabilities has shown, we can’t be oblivious to the security risks that go hand-in-hand with introducing such a large number of devices into the ecosystem. Left unchecked, this presents a huge security risk. While there are many potential threats to IoT devices, a common thread in IoT security weakness is the lack of strong authentication.

As attack vectors continue to evolve, it is increasingly critical that organizations embrace security solutions that ensure the integrity and security of their IoT systems. Best-practices for IoT device security include strong authentication and secure software updates – ensuring only authentic code can be installed on the device. For a complex system such as Alexa’s Skills that involve the Alexa platform, third-party apps and third-party cloud services – a comprehensive approach to ensuring the security of the ecosystem is essential.

@Alan Grau, VP of IoT , provides expert commentary for “dot your expert comments” at @Information Security Buzz.
“Best-practices for IoT device security include strong authentication and secure software updates….”
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/iot-security-in-the-spotlight-as-research-highlights-alexa-security-flaws

@Alan Grau, VP of IoT , provides expert commentary for “dot your expert comments” at @Information Security Buzz.
“Best-practices for IoT device security include strong authentication and secure software updates….”
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/iot-security-in-the-spotlight-as-research-highlights-alexa-security-flaws

Dot Your Expert Comments

* By using this form you agree with the storage and handling of your data by this web site.

This content was originally published here.

Continue Reading

Home Security

Is Biden’s Peloton Bike an IoT Cybersecurity Risk? – Security Boulevard

Published

on

Is Every Connected Device in a Staffer’s Home an IoT Cybersecurity Risk?

Most folks are still working from home at least some of the time. That creates a number of challenges for IT departments around cybersecurity and smart devices. As our lives become ever more connected to the internet through everything from smartphones to smart bikes, it’s important to remember that even the most humble internet-connected device can be a security risk. Many business IT teams are still coming to terms with that increased Internet-of-Things (IoT) cybersecurity risk and how to mitigate it.

If Cybersecurity is Like a Game, Shouldn’t You Play to Win? Here’s How to Do It.

IoT Devices (and Risks) Are Proliferating

During the last year, as we all spent more time at home, many folks discovered that they could make their home lives a little more pleasant with IoT devices. Experts estimate that more than 26.66 billion IoT devices are active in 2020, with 127 new IoT devices connecting to the internet every second. However, researchers also report that IoT devices face 5,200 attacks a month. That means that organizations need to keep IoT security top of mind as their security posture evolves.

Including the White House. The original work from home example, the President’s House is also home to one of the world’s most secure and sensitive networks. As new First Families with an increasing number of IoT devices move in, like President Biden and his Peloton bike, the White House cybersecurity team is faced with the same dilemma as many businesses: how to secure their IT environment against the potential risk.

Don’t let cyberattacks put the brakes on your business. Stay agile and keep your engine running under any conditions. Start your journey on The Road to Cyber Resilience now! DOWNLOAD THIS PACKAGE>>

How to Mitigate the Risk

In the case of the President’s bike, the Secret Service and the National Security Agency (NSA) will make changes to both the physical structure and the IT capability as well as enacting strong access control policies and tools in order to mitigate the risk. Cameras and microphones will be removed, and a constant series of password changes will help blunt the possibility of foreign agents hacking into President Biden’s Peloton. This tracks with the advice given by the National Institute of Standards and Technology (NIST).

But most companies don’t need to go that far when securing their environments against IoT risks. Businesses can keep their networks safe and employees can enjoy their IoT devices without taking drastic measures or spending a fortune. While cybercrime risks continue to climb across the board, by taking sensible precautions, organizations can secure their systems and data from many of the pitfalls that arise from remote working IoT cybersecurity risks quickly and affordably.

Would you trust a flimsy lock for your front door? Add a stronger lock between cybercriminals and your business when you learn to Build Better Passwords. GET IT>>

Add a Universal Mitigation Now

One key to mitigating IoT risk and remaining cyber resilient as an organization is maintaining strong access point control. It’s not just a fantastic mitigation for IoT risk either. Strong access point control is essential for mitigating all types of cybersecurity risk – and secure identity and access management with a solution like Passly is an effective, cost-effective way to implement it in a flash.

Passly brings major weapons against intrusion to the fight with multifactor authentication (MFA), single sign-on (SSO), and secure shared password vaults. MFA is a must-have in today’s rapidly evolving threat landscape – it has been proven to block up to 99.9% of common cyberattacks from getting through to business systems. Back that up with single sign-on that empowers your IT team to add and remove permissions fast in case of compromise and secure shared password vaults to make sure that your team can easily respond to emergencies remotely, and you’ve added a huge amount of security strength for a small price.

Contact ID Agent’s experts today to add Passly to your security stack or watch a video of Passly in action to see why it’s perfect for every business.

The Post-Pandemic Dark Web is a Whole New World of Danger. It’s Still Our Backyard. Let Us Show You Around.

Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!

This content was originally published here.

Continue Reading

Trending

AutomateMyHome

Subscribe to AMH Daily Updates

Get the best news, expert tips and product reviews everyday!