Volerion logoVolerion
Volerion logoVolerion

Reolink Hardcoded Cryptographic Key Vulnerability in P2P Camera Encryption

Vulnerability

A vulnerability exists in Reolink cameras that use a hardcoded encryption key and initialization vector (IV) in their Android application, version 4.54.0.4.20250526. This flaw allows an attacker to decrypt access tokens and web session tokens stored within the app, potentially compromising the camera's security. The issue arises from the use of predictable IVs with Cipher Block Chaining (CBC) mode, making the encryption susceptible to dictionary attacks when the same key is used.

Impact

Exploitation of this vulnerability could lead to unauthorized access to decrypted tokens, allowing for further compromise of Reolink P2P cameras, potentially beyond the local network.

Reproduction

The vulnerability can be reproduced by reverse engineering the Reolink Android app version 4.54.0.4.20250526 to extract the hardcoded encryption key and IV. This key can then be used to decrypt the access tokens and web session tokens stored within the app.

Added: Aug 22, 2025, 5:48 PM
Updated: Aug 22, 2025, 6:45 PM

Vulnerability Rating

Custom Algorithm
spread
4.5
impact
2.5
exploitability
5.2
remediation
8.3
relevance
0.4
threat
1.6
urgency
2.9
incentive
0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.