Saturday, June 15, 2024

Researchers Find Backdoor Account in 80 Different “SONY” IP Enabled Camera Models

Researchers in Austria have unearthed a pair of backdoor accounts in more than 80 different IP camera models made by Sony Corp.

Separately, Israeli security experts have discovered trivially exploitable weaknesses in nearly a half-million white-labeled IP camera models that are not currently sought out by Mirai.

Two Backdoor Accounts Are Available

According to security researchers of SEC Consult, One backdoor account is available in the Web Interface of Sony’s current IP camera firmware version. This backdoor is set of hardcoded credentials, which is allowing hackers to enable Telnet service of cameras by sending remote requests.

The second backdoor is also a hard coded password which could be used by hackers to gain the root access of devices. After getting root access, they can fully control the devices over Telnet. This password string is available in a cryptographic hash and it is possible to crack it by spending some time on it.

How is it possible?

SEC Consult said that these backdoors had been created by the official developers of Sony.  Not a single footprint of third party programmer has been identified by the security researchers of SEC Consult. It seems like, developers had created these backdoors to debug the device during testing and they forget to remove both of the backdoors from the firmware.

Austrian security firm SEC Consult said it found two apparent backdoor accounts in Sony IPELA Engine IP Cameras  devices mainly used by enterprises and authorities.

“We believe that this backdoor was introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing) and not an ‘unauthorized third party’ like in other cases (e.g. the Juniper ScreenOS Backdoor, CVE-2015-7755),” SEC Consult wrote.

It’s unclear precisely how many Sony IP cameras may be vulnerable, but a scan of the Web using Censys.io indicates there are at least 4,250 that are currently reachable over the Internet.

Those Sony IPELA ENGINE IP camera devices are definitely reachable on the Internet and a potential target for Mirai-like botnets, but of course it depends on the network/firewall configuration,” said Johannes Greil, head of SEC Consult Vulnerability Lab.

“From our point of view, this is only the tip of the iceberg because it’s only one search string from the device we have.”

Greil said there are other undocumented functionalities in the Sony IP cameras that could be maliciously used by malware or miscreants, such as commands that can be invoked to distort images and/or video recorded by the cameras, or a camera heating feature that could be abused to overheat the devices.

Sony was informed about the issue in October and released firmware updates for all affected camera models on Nov. 28. Users are advised to install these updates as soon as possible, because security cameras have recently been an attractive target for hackers.

Sony did not respond to multiple requests for comment. But the researchers said Sony has quietly made available to its users an update that disables the backdoor accounts on the affected devices. However, users still need to manually update the firmware using a program called SNC Toolbox.

Greil said it seems likely that the backdoor accounts have been present in Sony cameras for at least four years, as there are signs that someone may have discovered the hidden accounts back in 2012 and attempted to crack the passwords then. SEC Consult’s writeup on their findings is available here.

In other news, researchers at security firm Cybereason say they’ve found at least two previously unknown security flaws in dozens of IP camera families that are white-labeled under a number of different brands (and some without brands at all) that are available for purchase via places like eBay and Amazon.

The devices are all administered with the password “888888,” and may be remotely accessible over the Internet if they are not protected behind a firewall. we confirmed that while the Mirai botnet currently includes this password in the combinations it tries, the username for this password is not part of Mirai’s current configuration.

ipcamsticker-580x437

But Cybereason’s team found that they could easily exploit these devices even if they were set up behind a firewall.

That’s because all of these cameras ship with a factory-default peer-to-peer (P2P) communications capability that enables remote “cloud” access to the devices via the manufacturer’s Web site — provided a customer visits the site and provides the unique camera ID stamped on the bottom of the devices.

Although it may seem that attackers would need physical access to the vulnerable devices in order to derive those unique camera IDs, Cybereason’s principal security researcher Amit Serper said the company figured out a simple way to enumerate all possible camera IDs using the manufacturer’s Web site.

“We reverse engineered these cameras so that we can use the manufacturer’s own infrastructure to access them and do whatever we want,” Serper said. “We can use the company’s own cloud network and from there jump onto the customer’s network.”

What Hackers Can Do By Hacking These Cameras?

Hackers could enable Telnet service of devices and can access them over the internet or over the local area network. Hackers can convert these cameras into bots by infecting them with a strong botnet such as Mirai Botnet to perform DDoS (Distributed Denial of Service) Attack on major networks and companies. Hackers could also disrupt working functionality of cameras. Hackers could spy on all those networks which are under Electronic surveillance. Moreover, hackers could send specially crafted videos and images to the control room.

Vulnerable Models of Sony IP Camera
  • SNC-CH115
  • SNC-CH120
  • SNC-CH160
  • SNC-CH220
  • SNC-CH260
  • SNC-DH120
  • SNC-DH120T
  • SNC-DH160
  • SNC-DH220
  • SNC-DH220T
  • SNC-DH260
  • SNC-EB520
  • SNC-EM520
  • SNC-EM521
  • SNC-ZB550
  • SNC-ZM550
  • SNC-ZM551
  • SNC-EP550
  • SNC-EP580
  • SNC-ER550
  • SNC-ER550C
  • SNC-ER580
  • SNC-ER585
  • SNC-ER585H
  • SNC-ZP550
  • SNC-ZR550
  • SNC-EP520
  • SNC-EP521
  • SNC-ER520
  • SNC-ER521
  • SNC-ER521C
  • SNC-CX600
  • SNC-CX600W
  • SNC-EB600
  • SNC-EB600B
  • SNC-EB602R
  • SNC-EB630
  • SNC-EB630B
  • SNC-EB632R
  • SNC-EM600
  • SNC-EM601
  • SNC-EM602R
  • SNC-EM602RC
  • SNC-EM630
  • SNC-EM631
  • SNC-EM632R
  • SNC-EM632RC
  • SNC-VB600
  • SNC-VB600B
  • SNC-VB600B5
  • SNC-VB630
  • SNC-VB6305
  • SNC-VB6307
  • SNC-VB632D
  • SNC-VB635,
  • SNC-VM600
  • SNC-VM600B
  • SNC-VM600B5
  • SNC-VM601
  • SNC-VM601B
  • SNC-VM602R
  • SNC-VM630
  • SNC-VM6305
  • SNC-VM6307
  • SNC-VM631
  • SNC-VM632R
  • SNC-WR600
  • SNC-WR602
  • SNC-WR602C
  • SNC-WR630
  • SNC-WR632
  • SNC-WR632C
  • SNC-XM631
  • SNC-XM632
  • SNC-XM636
  • SNC-XM637
  • SNC-VB600L
  • SNC-VM600L
  • SNC-XM631L
  • SNC-WR602CL
Website

Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles