Backdoor Found in Many Sony Security Cameras

Sony has released firmware updates for many of its security cameras to address a critical vulnerability that can be exploited to take control of the devices, including by botnets such as Mirai.

The flaw, discovered by IT security services and consulting company SEC Consult, affects 80 Sony SNC series IP cameras that feature the company’s IPELA ENGINE signal processing system. These professional products are used by many organizations worldwide, including by FIFA during the 2014 World Cup.

An analysis revealed that the firmware for Sony IPELA ENGINE IP cameras contains hardcoded password hashes for the admin and root users. Researchers only cracked the admin password, which is “admin,” but they believe the root password can also be easily obtained.

Experts also discovered a CGI binary (prima-factory.cgi) that allows a remote user to enable the Telnet service on a device by sending it a specially crafted HTTP request. The request needs to include authentication data, but the username and password (primana/primana) can be found in plain text in a file.

An attacker can use these credentials to send a request to prima-factory.cgi and enable the Telnet service, and then leverage the root account to gain remote access with elevated privileges.

According to SEC Consult, the “primana” user account, which is effectively a backdoor, appears to have been introduced on purpose by Sony for device testing. Experts also uncovered a similar account named “debug” with the password “popeyeConnection,” but its functionality has not been analyzed.

“We believe that this backdoor was introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing) and not an ‘unauthorized third party’ like in other cases (e.g. the Juniper ScreenOS Backdoor, CVE-2015-7755),” SEC Consult researchers said in a blog post.

Once they gain root access to the device, attackers can carry out various actions, such as disrupting camera functionality, spying on the user, manipulating videos, breaching the network that houses the camera, and infecting it with Mirai-like malware.

The vulnerability can be exploited by an attacker with network access or over the Internet if the camera’s web interface is exposed. An online search shows roughly 4,000 cameras accessible from the Internet, including many from the United States and Germany, but experts believe the actual number is likely much higher.

Sony was informed about these vulnerabilities on October 11 and it released firmware updates – versions 1.86.00 and 2.7.2 – on November 28. SEC Consult has asked Sony about the role of the backdoor, but the vendor has refused to provide any details.

The security firm has also reached out to CERT teams in Germany and Austria, and FIRST, which will notify government and critical infrastructure organizations that might be using the vulnerable products.

Related: Surveillance Cameras From 70 Vendors Vulnerable to Remote Hacking

Related: Serious Flaw Found in Popular D-Link Wi-Fi Camera