Security Experts:

Connect with us

Hi, what are you looking for?



Backdoor Found in Many Sony Security Cameras

Sony has released firmware updates for many of its security cameras to address a critical vulnerability that can be exploited to take control of the devices, including by botnets such as Mirai.

Sony has released firmware updates for many of its security cameras to address a critical vulnerability that can be exploited to take control of the devices, including by botnets such as Mirai.

The flaw, discovered by IT security services and consulting company SEC Consult, affects 80 Sony SNC series IP cameras that feature the company’s IPELA ENGINE signal processing system. These professional products are used by many organizations worldwide, including by FIFA during the 2014 World Cup.

An analysis revealed that the firmware for Sony IPELA ENGINE IP cameras contains hardcoded password hashes for the admin and root users. Researchers only cracked the admin password, which is “admin,” but they believe the root password can also be easily obtained.

Experts also discovered a CGI binary (prima-factory.cgi) that allows a remote user to enable the Telnet service on a device by sending it a specially crafted HTTP request. The request needs to include authentication data, but the username and password (primana/primana) can be found in plain text in a file.

An attacker can use these credentials to send a request to prima-factory.cgi and enable the Telnet service, and then leverage the root account to gain remote access with elevated privileges.

According to SEC Consult, the “primana” user account, which is effectively a backdoor, appears to have been introduced on purpose by Sony for device testing. Experts also uncovered a similar account named “debug” with the password “popeyeConnection,” but its functionality has not been analyzed.

“We believe that this backdoor was introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing) and not an ‘unauthorized third party’ like in other cases (e.g. the Juniper ScreenOS Backdoor, CVE-2015-7755),” SEC Consult researchers said in a blog post.

Once they gain root access to the device, attackers can carry out various actions, such as disrupting camera functionality, spying on the user, manipulating videos, breaching the network that houses the camera, and infecting it with Mirai-like malware.

The vulnerability can be exploited by an attacker with network access or over the Internet if the camera’s web interface is exposed. An online search shows roughly 4,000 cameras accessible from the Internet, including many from the United States and Germany, but experts believe the actual number is likely much higher.

Sony was informed about these vulnerabilities on October 11 and it released firmware updates – versions 1.86.00 and 2.7.2 – on November 28. SEC Consult has asked Sony about the role of the backdoor, but the vendor has refused to provide any details.

The security firm has also reached out to CERT teams in Germany and Austria, and FIRST, which will notify government and critical infrastructure organizations that might be using the vulnerable products.

Related: Surveillance Cameras From 70 Vendors Vulnerable to Remote Hacking

Related: Serious Flaw Found in Popular D-Link Wi-Fi Camera

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.