Researchers in Austria have unearthed a pair of backdoor accounts in more than 80 different IP camera models made by Sony Corp.

 

 

Separately, Israeli security experts have discovered trivially exploitable weaknesses in nearly a half-million white-labeled IP camera models that are not currently sought out by Mirai.

 

 

 

Two Backdoor Accounts Are Available

 

According to security researchers of SEC Consult, One backdoor account is available in the Web Interface of Sony’s current IP camera firmware version. This backdoor is set of hardcoded credentials, which is allowing hackers to enable Telnet service of cameras by sending remote requests.

 

The second backdoor is also a hard coded password which could be used by hackers to gain the root access of devices. After getting root access, they can fully control the devices over Telnet. This password string is available in a cryptographic hash and it is possible to crack it by spending some time on it.

 

 

How is it possible?

 

SEC Consult said that these backdoors had been created by the official developers of Sony.  Not a single footprint of third party programmer has been identified by the security researchers of SEC Consult. It seems like, developers had created these backdoors to debug the device during testing and they forget to remove both of the backdoors from the firmware.

 

Austrian security firm SEC Consult said it found two apparent backdoor accounts in Sony IPELA Engine IP Cameras  devices mainly used by enterprises and authorities.

 

 

“We believe that this backdoor was introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing) and not an ‘unauthorized third party’ like in other cases (e.g. the Juniper ScreenOS Backdoor, CVE-2015-7755),” SEC Consult wrote.

 

 

It’s unclear precisely how many Sony IP cameras may be vulnerable, but a scan of the Web using Censys.io indicates there are at least 4,250 that are currently reachable over the Internet.

 

 

Those Sony IPELA ENGINE IP camera devices are definitely reachable on the Internet and a potential target for Mirai-like botnets, but of course it depends on the network/firewall configuration,” said Johannes Greil, head of SEC Consult Vulnerability Lab.

 

 

“From our point of view, this is only the tip of the iceberg because it’s only one search string from the device we have.”

 

 

Greil said there are other undocumented functionalities in the Sony IP cameras that could be maliciously used by malware or miscreants, such as commands that can be invoked to distort images and/or video recorded by the cameras, or a camera heating feature that could be abused to overheat the devices.

 

 

Sony was informed about the issue in October and released firmware updates for all affected camera models on Nov. 28. Users are advised to install these updates as soon as possible, because security cameras have recently been an attractive target for hackers.

 

 

Sony did not respond to multiple requests for comment. But the researchers said Sony has quietly made available to its users an update that disables the backdoor accounts on the affected devices. However, users still need to manually update the firmware using a program called SNC Toolbox.

 

 

Greil said it seems likely that the backdoor accounts have been present in Sony cameras for at least four years, as there are signs that someone may have discovered the hidden accounts back in 2012 and attempted to crack the passwords then. SEC Consult’s writeup on their findings is available here.

 

In other news, researchers at security firm Cybereason say they’ve found at least two previously unknown security flaws in dozens of IP camera families that are white-labeled under a number of different brands (and some without brands at all) that are available for purchase via places like eBay and Amazon.

 

 

The devices are all administered with the password “888888,” and may be remotely accessible over the Internet if they are not protected behind a firewall. we confirmed that while the Mirai botnet currently includes this password in the combinations it tries, the username for this password is not part of Mirai’s current configuration.

ipcamsticker-580x437

 

But Cybereason’s team found that they could easily exploit these devices even if they were set up behind a firewall.

 

That’s because all of these cameras ship with a factory-default peer-to-peer (P2P) communications capability that enables remote “cloud” access to the devices via the manufacturer’s Web site — provided a customer visits the site and provides the unique camera ID stamped on the bottom of the devices.

 

 

Although it may seem that attackers would need physical access to the vulnerable devices in order to derive those unique camera IDs, Cybereason’s principal security researcher Amit Serper said the company figured out a simple way to enumerate all possible camera IDs using the manufacturer’s Web site.

 

 

“We reverse engineered these cameras so that we can use the manufacturer’s own infrastructure to access them and do whatever we want,” Serper said. “We can use the company’s own cloud network and from there jump onto the customer’s network.”

 

What Hackers Can Do By Hacking These Cameras?

Hackers could enable Telnet service of devices and can access them over the internet or over the local area network. Hackers can convert these cameras into bots by infecting them with a strong botnet such as Mirai Botnet to perform DDoS (Distributed Denial of Service) Attack on major networks and companies. Hackers could also disrupt working functionality of cameras. Hackers could spy on all those networks which are under Electronic surveillance. Moreover, hackers could send specially crafted videos and images to the control room.

 

Vulnerable Models of Sony IP Camera

 

  • SNC-CH115
  • SNC-CH120
  • SNC-CH160
  • SNC-CH220
  • SNC-CH260
  • SNC-DH120
  • SNC-DH120T
  • SNC-DH160
  • SNC-DH220
  • SNC-DH220T
  • SNC-DH260
  • SNC-EB520
  • SNC-EM520
  • SNC-EM521
  • SNC-ZB550
  • SNC-ZM550
  • SNC-ZM551
  • SNC-EP550
  • SNC-EP580
  • SNC-ER550
  • SNC-ER550C
  • SNC-ER580
  • SNC-ER585
  • SNC-ER585H
  • SNC-ZP550
  • SNC-ZR550
  • SNC-EP520
  • SNC-EP521
  • SNC-ER520
  • SNC-ER521
  • SNC-ER521C
  • SNC-CX600
  • SNC-CX600W
  • SNC-EB600
  • SNC-EB600B
  • SNC-EB602R
  • SNC-EB630
  • SNC-EB630B
  • SNC-EB632R
  • SNC-EM600
  • SNC-EM601
  • SNC-EM602R
  • SNC-EM602RC
  • SNC-EM630
  • SNC-EM631
  • SNC-EM632R
  • SNC-EM632RC
  • SNC-VB600
  • SNC-VB600B
  • SNC-VB600B5
  • SNC-VB630
  • SNC-VB6305
  • SNC-VB6307
  • SNC-VB632D
  • SNC-VB635,
  • SNC-VM600
  • SNC-VM600B
  • SNC-VM600B5
  • SNC-VM601
  • SNC-VM601B
  • SNC-VM602R
  • SNC-VM630
  • SNC-VM6305
  • SNC-VM6307
  • SNC-VM631
  • SNC-VM632R
  • SNC-WR600
  • SNC-WR602
  • SNC-WR602C
  • SNC-WR630
  • SNC-WR632
  • SNC-WR632C
  • SNC-XM631
  • SNC-XM632
  • SNC-XM636
  • SNC-XM637
  • SNC-VB600L
  • SNC-VM600L
  • SNC-XM631L
  • SNC-WR602CL