Tech giant Sony has just detected and terminated a debug backdoor in 80 of its Internet-connected surveillance cameras. The backdoor could be exploited to hijack the devices via malware such as the Mirai botnet.
More specifically, the hardcoded logins in the devices could be leveraged by malware to automatically and covertly take over Sony CCTV cameras. The devices could be used to launch attacks on other systems or spy on their owners. The vulnerable devices are Sony Professional Ipela Engine IP cameras.
Related: Biggest DDoS Close to 1 Tbps Hits Hosting Company
This backdoor was discovered by security researcher Stefan Viehböck in October. Fortunately, updates for the firmware to mitigate the vulnerability are already available.
The company has expressed gratitude for the cooperation in enhancing their network security.
The firmware includes two hardcoded, permanently enabled accounts in the builtin web-based admin console: debug with the password popeyeConnection, and primana with the password primana, The Register explains. The latter, coupled with magic strings in the URL, unlocks telnet access, potentially granting administrative access to the camera via a command line. Later models can open an SSH server, too.
More precisely, telnet access can be enabled via the following URLs when sent to a vulnerable connected device:
→https://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=zKw2hEr9
→https://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=cPoq2fi4cFk
This triggers the prima-factory.cgi program in Sony’s fifth-generation Ipela Engine cameras to open the backdoor by starting inetd, which is configured to run a telnet daemon on port 23. Sixth-generation cams use the magic string “himitunokagi”, which is Japanese for “secret key”.
Related: Biggest DDoS Close to 1 Tbps Hits Hosting Company
When the telnet/ SSH service is active, an attacker could login as root and obtain command-line-level access to the OS. However, the following password hashes should be hacked first:
→$1$$mhF8LHkOmSgbD88/WrM790 (gen-5 models)
→iMaxAEXStYyd6 (gen-6 models)
Security researchers believe it won’t take long for the hashes to be cracked. Thus, applying the firmware updates to the exposed cameras is mandatory, to say the least.
The endangered devices use firmware version 1.82.01 or earlier in case they are fifth generation, or 2.7.0 or earlier in case they are sixth generation. Firmware versions 1.86.00 and 2.7.2 should contain the fixes. Users that have any of the models listed below should check whether they have the latest firmware installed:
SNC-CX600, SNC-CX600W, SNC-EB600, SNC-EB600B, SNC EB602R, SNC-EB630, SNC-EB630B, SNC-EB632R, SNC-EM600, SNC-EM601, SNC-EM602R, SNC-EM602RC, SNC-EM630, SNC-EM631, SNC-EM632R, SNC-EM632RC, SNC-VB600, SNC-VB600B, SNC-VB600B5, SNC-VB630, SNC-VB6305, SNC-VB6307, SNC-VB632D, SNC-VB635, SNC-VM600, SNC-VM600B, SNC-VM600B5, SNC-VM601, SNC-VM601B, SNC-VM602R, SNC-VM630, SNC-VM6305, SNC-VM6307, SNC-VM631, SNC-VM632R, SNC-WR600, SNC-WR602, SNC-WR602C, SNC-WR630, SNC-WR632, SNC-WR632C, SNC-XM631, SNC-XM632, SNC-XM636, SNC-XM637, SNC-VB600L, SNC-VM600L, SNC-XM631L, SNC-WR602CL, SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120, SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520, SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551, SNC-EP550, SNC-EP580, SNC-ER550, SNC-ER550C, SNC-ER580, SNC-ER585, SNC-ER585H, SNC-ZP550, SNC-ZR550, SNC-EP520, SNC-EP521, SNC-ER520, SNC-ER521, and SNC-ER521C.