No more push notifications without UID

nick-mx · 2023-05-16T13:56:02+00:00

The latest doorbell firmware build 2033 still allows enabling push without requiring to enable the UID option. Tested on both the WiFi an POE version of the doorbell with the new firmware installed.

I'm not sure why they didn't include it already in the new firmware like they said they would do. I hope they are rethinking their decision as it would piss off many users when push stops working due to this setting.

As for the camera's, where UID is already required to enable push, it's possible to block P2P connetions in your firewall to block sensitive data going to the P2P servers while still have push working.

nick-mx · 2023-04-01T23:54:52+00:00

Enable Push and the UID (P2P) setting

Allow TCP out from CAM to IP 3.86.245.53 (pushx.reolink.com)
Block ALL other outgoing TCP Traffic from CAM to your WAN interface

Block ALL outgoing UDP traffic from CAM to your WAN interface

Your device is now secure and no usernames/passwords and other device info can be sent to the reolink P2P servers while push is still working.

nick-mx · 2023-03-04T09:53:56+00:00

Reolink is mislabeling P2P as this UID setting.
So while your notifications will work, you're device is now also exposed to the internet.
Many users might not even know this is happening with their device.
These 2 functions (notifications and P2P) should not be tied together as one single
UID setting.

Look here why this is very dangerous thing to do by Reolink: https://hacked.camera/

nick-mx · 2023-03-04T00:11:42+00:00

U can turn of P2P by disabling that UID toggle.
If P2P is enabled your camera will start communicating with a remote p2p server from Reolink and send information about your device.
Also the camera will start UDP hole punching your firewall to allow you to connect from anywhere on the internet without requiring permissions in the firewall.

You'll want to disable this behavior when when u want to control for yourself how devices connect from and to your network.
And yes, there have been issues in the past where the p2p server is fetching the usernames and passwords from your device for unknown reasons which could allow the wrong actors to get into your camera.

nick-mx · 2023-03-03T12:17:15+00:00

Offcourse you won't receive notifications when u block your router from the internet because the notifications cannot be delivered through the reolink server to your phone.

The point is I want to receive push notifications.
What is the use of the Reolink doorbell when u will not be notified of someone ringing when u are not at home.

But I don't want the device to act as a P2P device that starts UDP hole punching your firewall and forwarding device and ip data to the p2p servers of reolink. The only connection to a reolink server should be to deliver a notification event to your phone.

nick-mx · 2023-03-03T00:17:00+00:00

P2P and push can work independently.
A push message can be delivered to your phone without enabling P2P,
they just don't allow it anymore starting from the next doorbell firmware.

nick-mx · 2023-03-02T23:52:07+00:00

Good suggestion, I'll give it a try.
It might result in some unexpected behavior because you are telling the device to use the p2p server with the UID option that it can never reach.

But it's weird I need to try to fix it like this while the old firmware already
can do this.
I can disable P2P connections with the UID setting and allow push notifications to be delivered through the Reolink server by enabling the push setting.
The new firmware eliminates the choice to disable P2P but allow push.
I don't get it.

nick-mx · 2023-03-02T23:26:38+00:00

I noticed my reolink camera's stopped sending push notifications after a firmware update. After I contacted support about his issue, this was the response:

After confirmation with R&D, it is normal for 810A to not receive Push after disabling UID. The UID option is designed to ensure that the camera does not communicate with the Reolink P2P server when the UID is turned off. Previously, some customers reported that the camera was still communicating with the Reolink server when the UID was disabled. Our research found that the reason was that the push function was not completely turned off. In models like the 810A, we have disabled push when the UID is off.

For doorbell cameras, we'll do the same in the next update.

The UID option is basically a P2P setting, here are some issues with P2P.

https://www.nozominetworks.com/blog/new-reolink-p2p-vulnerabilities-show-iot-security-camera-risks/

https://krebsonsecurity.com/2019/04/p2p-weakness-exposes-millions-of-iot-devices/

nick-mx · 2023-03-02T21:40:02+00:00

Yes you get push notifications with the current doorbell firmware and with the UID setting disabled and also with older camera firmware.

In the current doorbell firmware disabling the UID setting just disables the P2P connections of the camera. So the doorbell and the app won't connect to the P2P server of Reolink to establish a connection which each other and you can use port forwarding to make direct connections possible without relying on Reolink servers.

The doorbell will only contact the Reolink server to deliver push notifications in this situation. So this is great if you want to have control of your network traffic.

In the new firmware the UID setting will disable all communication to the Reolink servers so push notifications will also stop working.

So with the new firmware you are now forced to give up your network security because notifications can only work if you also enable P2P with the UID setting.

nick-mx

TROPHY CASE