Dozens of Sony cameras affected by a secret backdoor

Pierluigi Paganini December 07, 2016

Many Sony cameras could be hijacked by hackers and infected with Mirai-like malware due to the presence of a sort of secret backdoor.

Sony has closed a sort of debug backdoor that was spotted in 80 web-connected surveillance cameras. The hardcoded logins in the firmware of the Sony cameras can be exploited to hijack the devices and open the doors to Mirai like malware.

The flawed devices are branded Sony Professional Ipela Engine IP surveillance cameras.

The backdoor was discovered by Stefan Viehböck from SEC Consult in October, the expert reported the issue to Sony and the company fixed it with firmware updates.

“SEC Consult has found a backdoor in Sony IPELA Engine IP Cameras, mainly used professionally by enterprises and authorities. This backdoor allows an attacker to run arbitrary code on the affected IP cameras.” reads a blog post published by SEC Consult.”An attacker can use cameras to take a foothold in a network and launch further attacks, disrupt camera functionality, send manipulated images/video, add cameras into a Mirai-like botnet or to just simply spy on you. This vulnerability affects 80 different Sony camera models. Sony was informed by SEC Consult about the vulnerability and has since released updated firmware for the affected models.”

sony-cameras-backdoor

Sony thanked the experts for the support they provided.

“We are grateful to SEC Consult for their assistance in enhancing network security for our network cameras,” Sony said.

The expert spotted two hardcoded  permanently enabled application-level backdoor accounts in the web-based admin console:

  • User debug, Password: popeyeConnection
  • User primana, Password: primana

Both accounts are allowed to access specific, undocumented CGI functionality.

The expert explained that it is possible to remotely enable Telnet/SSH services and a backdoor allows an attacker to gain access to a Linux shell with root privileges.

“The vulnerabilities are exploitable in the default configuration over the network. Exploitation over the Internet is possible, if the web interface of the device is exposed.” continues the analysis.

The following URLs, once sent to a vulnerable web-facing device, will enable telnet access:

http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=zKw2hEr9
http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=cPoq2fi4cFk

The requests trigger the prima-factory.cgi in Sony’s fifth-generation Ipela Engine cameras to open the backdoor by starting the inetd, which runs a telnet daemon on port 23. Devices belonging to Gen6 generation use the magic string “himitunokagi” (Japanese for “secret key”).

Once the telnet or SSH service is enabled, attacker can login as root and get command-line-level access to the OS. Below are the password hashes for the OS-level backdoor user:

$1$$mhF8LHkOmSgbD88/WrM790 (gen-5 models)
iMaxAEXStYyd6 (gen-6 models)

Ill-intentioned could easily crack the above root passwords, the researchers avoided to do it in order to prevent their exploitation in the wild.

Experts suggest the application of the security updates for the following Sony cameras:

SNC-CX600, SNC-CX600W, SNC-EB600, SNC-EB600B, SNC EB602R, SNC-EB630, SNC-EB630B, SNC-EB632R, SNC-EM600, SNC-EM601, SNC-EM602R, SNC-EM602RC, SNC-EM630, SNC-EM631, SNC-EM632R, SNC-EM632RC, SNC-VB600, SNC-VB600B, SNC-VB600B5, SNC-VB630, SNC-VB6305, SNC-VB6307, SNC-VB632D, SNC-VB635, SNC-VM600, SNC-VM600B, SNC-VM600B5, SNC-VM601, SNC-VM601B, SNC-VM602R, SNC-VM630, SNC-VM6305, SNC-VM6307, SNC-VM631, SNC-VM632R, SNC-WR600, SNC-WR602, SNC-WR602C, SNC-WR630, SNC-WR632, SNC-WR632C, SNC-XM631, SNC-XM632, SNC-XM636, SNC-XM637, SNC-VB600L, SNC-VM600L, SNC-XM631L, SNC-WR602CL, SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120, SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520, SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551, SNC-EP550, SNC-EP580, SNC-ER550, SNC-ER550C, SNC-ER580, SNC-ER585, SNC-ER585H, SNC-ZP550, SNC-ZR550, SNC-EP520, SNC-EP521, SNC-ER520, SNC-ER521, and SNC-ER521C.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Sony Cameras, backdoors)



you might also like

leave a comment