Nozomi Networks published research about vulnerabilities found in the Peer-to-Peer (P2P) feature of a commonly used line of security cameras - Reolink. The most critical vulnerability, assigned a CVSS score of 9.1, allows attackers to access sensitive information such as audio/video streams across the internet. The second vulnerability, assigned a CVSS score 7.7, allows unauthorized users to access local users’ credentials. Nozomi’s research team coordinated disclosure with ICS-CERT, which published an advisory regarding the Reolink vulnerabilities.
Peer-to-Peer (P2P), in the context of security cameras, refers to functionality that allows a client to access audio/video streams transparently through the internet. The video data is available from the cameras or accessed through NVRs. P2P is used by Reolink and several other security camera vendors, so for the many operators of CCTV cameras with this feature, it’s important to understand the security risks.
According to research firm Markets and Markets, the global video surveillance market size is expected to grow from US $45.5 billion in 2020 to US $74.6 billion by 2025. The infrastructure sector—including transportation, city surveillance, public places, and utilities, is expected to grow at the highest CAGR during that period.
Reolink has released a new version of the firmware, which according to them, mitigates these issues. However, Nozomi urges companies to carefully evaluate the potential risks involved with P2P functionality before enabling it. One option is to consider alternatives such as VPNs, which provide stronger security, although more setup effort.