📌 1. Reporting information

• Name : Team Brrester

  ---

🧩 2. Overview of Vulnerabilities

• Vulnerability title: Sensitive user information decryption and session exploitation vulnerabilities with hard-coded AES keys and fixed IVs

• Date of discovery: 2025.05.29.

• Discovery Location: BCSDK_Decrypt Function in lib/arm64-v8a/libBCSDKWrapper.so

• Vulnerability type:

  • CWE-321: Use of Hard-coded Cryptographic Key
  • CWE-329: Generation of Predictable IV with CBC Mode

• Vulnerability Description:

  • The vulnerability stems from the fact that when performing AES-CBC decryption in the BCSDK_Decrypt function in the native library (libBCSDKWrapper.so ) of the Reolink app, the encryption key and initialization vector (IV) are hard-coded into the code, and IV is also used as a fixed constant value. An attacker can easily extract this through reverse engineering, using it to decrypt access tokens and web session tokens stored inside the app. In fact, we succeeded in accessing Reolink web services without authentication using decrypted session tokens, which can lead to user session takeover.

  ---

🔍 3. Details

• Impacted Products/Services: Reolink App

• Product version: 4.54.0.4.20250526

• Vulnerable components: BCSDK_Decrypt function in lib/arm64-v8a/libBCSDKWrapper.so

• Attack Vector:

  • The Reolink app stores user authentication information (Access Token, Refresh Token, Web Session Token, etc.) in the Account Manager class in Shared Preferences, and performs the decryption process through com.android.bc.util.utility.getDecryptDataWithSharePreferenceKey().
  • The corresponding decryption logic is defined in the BCSDK_Decrypt(char*) function in the native library lib/arm64-v8a/libBCSDKWrapper.so , and the encryption key and IV are hard-coded while using the AES-CBC algorithm.
  • Specifically, when calling the AES_init_ctx_iv() function " @20161111!&" is used as the key and "0123456789abcdef" is used as IV, and these values can be easily extracted by anyone using binary analysis.
  • An attacker can use the key and IV to decrypt the encrypted token value stored inside the app, and in fact, it has succeeded in securing a session token that can be logged in to the Realink web portal through the decryption result of Share_FILE_KEY_ACCOUNT_WEB_SESSION.
  • This allows unauthorized access to Reolink accounts by stealing user sessions without authentication as long as a malicious third party secures device access rights.

• Procedure for reproduction:

  1. APK extraction and decompilation of the Realink app
  2. libBCSDKWrapper.so binary analysis confirms the use of hard-coded keys ( @20161111!&) and IV (0123456789abcdef).
  3. Extract encrypted Shared Preferences from Android devices
     • Extract /data/data/com.mcu.reolink/shared_prefs/share_reolink.xml via Root permissions or backup functions
     • Keys such as SHARE_FILE_KEY_ACCONTKEN and SHARE_FILE_KEY_ACCONT_WEB_SESSION are included.
  4. Running a decryption script with Python
     • After decoding the extracted ciphertext, perform AES-CBC decryption with hard-coded Key/IV.
  5. Test session token verification and authentication bypass
     • Set the decrypted web session token (SHARE_FILE_KEY_ACCOUNT_WEB_SESSION) to the cookie value of the web browser.
     • Attempt to log in to the Realink web portal (https://reolink.com )

• PoC code:

  Extract encrypted Shared Preferences XML

  Python decryption code

• Screenshot or Log: