Thursday, March 28, 2024

Researchers Find Backdoor Account in 80 Different “SONY” IP Enabled Camera Models

Researchers in Austria have unearthed a pair of backdoor accounts in more than 80 different IP camera models made by Sony Corp.

Separately, Israeli security experts have discovered trivially exploitable weaknesses in nearly a half-million white-labeled IP camera models that are not currently sought out by Mirai.

Two Backdoor Accounts Are Available

According to security researchers of SEC Consult, One backdoor account is available in the Web Interface of Sony’s current IP camera firmware version. This backdoor is set of hardcoded credentials, which is allowing hackers to enable Telnet service of cameras by sending remote requests.

The second backdoor is also a hard coded password which could be used by hackers to gain the root access of devices. After getting root access, they can fully control the devices over Telnet. This password string is available in a cryptographic hash and it is possible to crack it by spending some time on it.

How is it possible?

SEC Consult said that these backdoors had been created by the official developers of Sony.  Not a single footprint of third party programmer has been identified by the security researchers of SEC Consult. It seems like, developers had created these backdoors to debug the device during testing and they forget to remove both of the backdoors from the firmware.

Austrian security firm SEC Consult said it found two apparent backdoor accounts in Sony IPELA Engine IP Cameras  devices mainly used by enterprises and authorities.

“We believe that this backdoor was introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing) and not an ‘unauthorized third party’ like in other cases (e.g. the Juniper ScreenOS Backdoor, CVE-2015-7755),” SEC Consult wrote.

It’s unclear precisely how many Sony IP cameras may be vulnerable, but a scan of the Web using Censys.io indicates there are at least 4,250 that are currently reachable over the Internet.

Those Sony IPELA ENGINE IP camera devices are definitely reachable on the Internet and a potential target for Mirai-like botnets, but of course it depends on the network/firewall configuration,” said Johannes Greil, head of SEC Consult Vulnerability Lab.

“From our point of view, this is only the tip of the iceberg because it’s only one search string from the device we have.”

Greil said there are other undocumented functionalities in the Sony IP cameras that could be maliciously used by malware or miscreants, such as commands that can be invoked to distort images and/or video recorded by the cameras, or a camera heating feature that could be abused to overheat the devices.

Sony was informed about the issue in October and released firmware updates for all affected camera models on Nov. 28. Users are advised to install these updates as soon as possible, because security cameras have recently been an attractive target for hackers.

Sony did not respond to multiple requests for comment. But the researchers said Sony has quietly made available to its users an update that disables the backdoor accounts on the affected devices. However, users still need to manually update the firmware using a program called SNC Toolbox.

Greil said it seems likely that the backdoor accounts have been present in Sony cameras for at least four years, as there are signs that someone may have discovered the hidden accounts back in 2012 and attempted to crack the passwords then. SEC Consult’s writeup on their findings is available here.

In other news, researchers at security firm Cybereason say they’ve found at least two previously unknown security flaws in dozens of IP camera families that are white-labeled under a number of different brands (and some without brands at all) that are available for purchase via places like eBay and Amazon.

The devices are all administered with the password “888888,” and may be remotely accessible over the Internet if they are not protected behind a firewall. we confirmed that while the Mirai botnet currently includes this password in the combinations it tries, the username for this password is not part of Mirai’s current configuration.

ipcamsticker-580x437

But Cybereason’s team found that they could easily exploit these devices even if they were set up behind a firewall.

That’s because all of these cameras ship with a factory-default peer-to-peer (P2P) communications capability that enables remote “cloud” access to the devices via the manufacturer’s Web site — provided a customer visits the site and provides the unique camera ID stamped on the bottom of the devices.

Although it may seem that attackers would need physical access to the vulnerable devices in order to derive those unique camera IDs, Cybereason’s principal security researcher Amit Serper said the company figured out a simple way to enumerate all possible camera IDs using the manufacturer’s Web site.

“We reverse engineered these cameras so that we can use the manufacturer’s own infrastructure to access them and do whatever we want,” Serper said. “We can use the company’s own cloud network and from there jump onto the customer’s network.”

What Hackers Can Do By Hacking These Cameras?

Hackers could enable Telnet service of devices and can access them over the internet or over the local area network. Hackers can convert these cameras into bots by infecting them with a strong botnet such as Mirai Botnet to perform DDoS (Distributed Denial of Service) Attack on major networks and companies. Hackers could also disrupt working functionality of cameras. Hackers could spy on all those networks which are under Electronic surveillance. Moreover, hackers could send specially crafted videos and images to the control room.

Vulnerable Models of Sony IP Camera
  • SNC-CH115
  • SNC-CH120
  • SNC-CH160
  • SNC-CH220
  • SNC-CH260
  • SNC-DH120
  • SNC-DH120T
  • SNC-DH160
  • SNC-DH220
  • SNC-DH220T
  • SNC-DH260
  • SNC-EB520
  • SNC-EM520
  • SNC-EM521
  • SNC-ZB550
  • SNC-ZM550
  • SNC-ZM551
  • SNC-EP550
  • SNC-EP580
  • SNC-ER550
  • SNC-ER550C
  • SNC-ER580
  • SNC-ER585
  • SNC-ER585H
  • SNC-ZP550
  • SNC-ZR550
  • SNC-EP520
  • SNC-EP521
  • SNC-ER520
  • SNC-ER521
  • SNC-ER521C
  • SNC-CX600
  • SNC-CX600W
  • SNC-EB600
  • SNC-EB600B
  • SNC-EB602R
  • SNC-EB630
  • SNC-EB630B
  • SNC-EB632R
  • SNC-EM600
  • SNC-EM601
  • SNC-EM602R
  • SNC-EM602RC
  • SNC-EM630
  • SNC-EM631
  • SNC-EM632R
  • SNC-EM632RC
  • SNC-VB600
  • SNC-VB600B
  • SNC-VB600B5
  • SNC-VB630
  • SNC-VB6305
  • SNC-VB6307
  • SNC-VB632D
  • SNC-VB635,
  • SNC-VM600
  • SNC-VM600B
  • SNC-VM600B5
  • SNC-VM601
  • SNC-VM601B
  • SNC-VM602R
  • SNC-VM630
  • SNC-VM6305
  • SNC-VM6307
  • SNC-VM631
  • SNC-VM632R
  • SNC-WR600
  • SNC-WR602
  • SNC-WR602C
  • SNC-WR630
  • SNC-WR632
  • SNC-WR632C
  • SNC-XM631
  • SNC-XM632
  • SNC-XM636
  • SNC-XM637
  • SNC-VB600L
  • SNC-VM600L
  • SNC-XM631L
  • SNC-WR602CL
Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles