Sony, in late November, provided a firmware update for a popular IP-enabled camera line used by enterprises and law enforcement alike that closed off remote administration backdoors. The backdoors could be abused to draft these devices into botnets or allow for manipulation of images and advancement into the network.
The update for the Sony IPELA Engine IP Cameras was made available Nov. 28, more than a month after it was privately disclosed by SEC-Consult researcher Stefan Viehbock.
“An attacker can use cameras to take a foothold in a network and launch further attacks, disrupt camera functionality, send manipulated images/video, add cameras into a Mirai-like botnet or to just simply spy on you,” SEC-Consult wrote today in its public disclosure. The company said 80 different Sony cameras were backdoored.
SEC-Consult said its best guess is that the backdoors were an intentional remote administration feature that could be used for debugging or factory functional testing. The researchers ruled out that the cameras were backdoored by a third party.
In addition to ensuring the firmware update is promptly applied, the researchers advise users to restrict access to the cameras by using VLANs or updated firewall rules.
The news comes weeks after the intensity died down around the Mirai malware-fueled IOT botnets that took down DNS provider Dyn, French webhost OVH and other high-profile sites through large DDoS attacks. Since the disclosure of the Mirai malware source code, which is used to recruit poorly protected IOT devices into botnets, researchers have been finding variants used in other large-scale attacks.
In the case of the Sony cameras, SEC-Consult warns that the devices are exploitable in default configurations on the network, and remotely if the web interface is exposed to the Internet.
The root issue is a pair of hardcoded passwords discovered in the firmware that can be used to log in to the camera locally through a serial port or via telnet or SSH. SEC-Consult said it didn’t take long to crack one of the hashed passwords, the admin credential which turned out to be admin:admin. The second password hash guarded the user root, and could be used by an attacker to gain deeper access to the device and hop onto the network. The accounts, the researchers discovered, allowed access to an undocumented CGI functionality that allows an attacker to enable telnet for remote access. After doing so, an OS-level backdoor provides access to the Linux shell with root privileges, SEC-Consult said.
“Attackers are able to completely takeover the Sony IPELA ENGINE IP Camera products over the network,” SEC-Consult said.
The researchers said they tested the vulnerability on the SNC-DH160 camera running firmware version V1.82.01, and on Gen6 cameras running V2.7.0. Sony provided a complete list of affected cameras to SEC-Consult.