Initial Review of the Reolink RLC-410 5mp PoE Bullet IP Camera

Initial Review of the Reolink RLC-410 5mp PoE Bullet IP Camera

Updated: 2018-12-16

• Price is excellent
• Support request was answered quickly
• Camera is larger than Hikvision bullet
• Browser depends on Flash player
• No way to change the self signed HTTPS certificate
• Clear text username password in snapshot url
• No NFS but does have local SD card
• Poor lens, lots of distortion on sides
• 5mp but it is 4:3 aspect ratio
• Does have Macintosh viewing app
• Does have an iOS app
• Easy to configure
• Works with Apple macOS browsers
• Mac app does not have a snap to aspect ratio so its hard to eliminate stretch
• Uses "P2P" for remote access with the macOS and iOS apps. See security references below.
• No evidence of IPv6
• NTP can be configured
• Reolink support provided a firmware update to solve a problem with snapshots from the camera. The original firmware timed out on the snapshot unless at about a third of the image is masked.

References

• Snapshot URL - http://192.168.6.178/cgi-bin/api.cgi?cmd=Snap&channel=0&rs=wuuPhkmUCeI9WG7C&user=admin&password=PASSWORD
• Browser username is admin
• Turn off UUID to disable P2P.
• Reolink CGI Commands
• Error: { "cmd" : "Snap", "code" : 1, "error" : { "detail" : "Snap", "rspCode" : -8 }: means the snapshot timed out.

Security References

• Krebs IoT Under Siege
• Kreb IoT Attacks
• Krebs Web Polluters
• P2P Communication Across Network Address Translators

Cybereason’s Advice: "Avoid the P2P models like the plague. If you have security cameras or DVR devices that are connected to the Internet, make sure they are up to date with the latest firmware. Beyond that, consider completely blocking external network access to the devices and enabling a VPN if you truly need remote access to them."