SEC Consult, renowned IT security services and consultation firm, has identified that there is a critical flaw in Sony’s 80 SNC series IP cameras. This series features the IPELA ENGINE signal processing system of Sony.
These backdoor accounts can easily provide hackers complete access to the security cameras. It must be noted that the security cameras by Sony are used by high-profile organizations around the world.
It is also identified that there is a CGI binary (prima-factory.cgi) file that lets a remote user enable the Telnet service by sending a specially designed HTTP request to the device. This request requires the inclusion of authentication data. However, the username and password (primana/primana) are already present in plain text format.
Hackers can utilize these credentials to send out a request to the CGI binary file and activate Telnet service after which he can leverage the root account and acquire remote access with increased privileges.
Once the hackers obtain root access they can easily carry out a variety of actions including spying on the user of the camera, disrupting the operations of the camera and even manipulate videos. They might also compromise the network that is housing the camera or infects the device with Mirai or similar malware such as Bashlite or Lizkebab.
Sony has already released a Firmware update to delete the backdoor accounts. The updates contain hardcoded password hashes for the root and admin users. Until now researchers have managed to crack admin password but it is believed that root password can also be obtained by the hackers quite conveniently. The admin password has been identified to be “admin.”
The identified vulnerability of Sony IP cameras can be exploited by hackers having network access provided that the web interface of the camera is exposed. According to a research, there are thousands of unprotected cameras in the United States. Also, just a couple of weeks ago, a researcher has his surveillance camera hacked with Mirai malware within 98 seconds only as soon as it gets connected to Wi-Fi.
SEC Consult stated that the “primana” user account is actually a backdoor and is apparently introduced by Sony purposefully for testing its devices. Researchers have also identified a similar account dubbed as “debug” and contain this password: “popeyeConnection.” However, its functionality hasn’t yet been identified by the research team.
In a blog post, SEC Consult’s researchers stated that:
“”An attacker can use cameras to take a foothold in a network and launch further attacks, disrupt camera functionality, send manipulated images/video, add cameras into a Mirai-like botnet, or to just simply spy on you. We believe that this backdoor was introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing) and not an ‘unauthorized third party’ like in other cases (e.g. the Juniper ScreenOS Backdoor, CVE-2015-7755).”
SEC Consult notified Sony about the discovered vulnerabilities on 11th October after which Sony released firmware updates for the IP camera with versions 1.86.00 and 2.7.2 on 28th November.
If you own an IoT device use this online Internet of Things (IoT) Scanner to make sure it is not hacked. Also, change your device’s default login credentials asap.