Sony Misleading Marketing Hides Cracked Backdoor

By Brian Karas, Published Jan 25, 2017, 09:12am EST

Sony is attempting to deemphasize the severity of the backdoor uncovered in Ipela cameras.

Meanwhile, IPVM has verified that the root password for the backdoor has been cracked.

Downplaying the severity of the hard-coded backdoor puts both users, and Sony's brand, at risk, as we explain in this report. 

Sony's *****

**** ***** ** ******* the *** ** "******** network ********':

***** *********** ****, **** is **** ********** * pacemaker ** * ****** to **** ** "******** heartbeat". ** *** ** off, **** ******** ** abstract ***** **** **** not ** *** ****** the **** ***** ** unpatched ******* ****.

Sony ******* ******* *******

****'* ******-****** ******** *** firmware ********* **** **** to ******* **** ***** with ***** ******** **** to upgrade ******** ** ******* this *******:

Cracked ******** **** ********

**** *** ******* *** first *********, *** *********** published *** ****** *** the **** ******** *** did *** ****** **** the *********** ******** ***.

* ********* *** *********** in *********** ******** ******** IPVM **** *** *** unencrypted ******** **** ******** for *** * *******, and ** ******** **** it ******.

** **** ****** ** believe **** *** **** password *** ******* **** years ***, *** **** secret **** ****** **********, as *** ****** ******* was ********* ** ******* boards. ***** ** ** unclear *** **** *** wide *** ******* **** password *** **** *****, there ****** ** ** doubt **** ** ** cracked. 

****: ** *** *** sharing *** ******** **** password ***** ** ** *** easily ********* ****** *** doing **, ** **** context, ***** ******** **** to **** *****.

Misleading ********* **** ***** ** ****

**** ****** **** **** "improved" ******* ******** ******* they ***** **** ******** ** ** already ****** ******, ***** is ********** ** **** case. ********* ******* *** extremely ********, ***** ****** this ******** ***** ********** assume **** **** *** avoid **** ****** ** they ******* ******** ***** system ** ******, *** to ****** ***** ***** like ******** ******* ********* or ******* ** ******** user ********. *******, ***** ******* remain **** ** ****** from ****** *** *** reach **** *** * network.

Sony ******* ** ******** ******

****** **'* **** ****'* music ******** ********* ******* on ***** **'***** **** ********* **** back ** **** ******* the **** *******, *** interfered **** ***** ***** of *** ********'* *********. In**** ** *** ******** that ******* *** ****** access ** ****** *** other ******* **** ** Sony ********. ** **** ** these ********* ****'* ***** suffered ** ****** **********. While **** ** ***** incidents **** ******, ******* were ******** ******* ** Sony's ******** ********.

*** ******** ********** ** Ipela *******, *** ****'* failure ** *********** **, show *** ******* ********* weakened *** ******** ** its *******, *** **** has *** **** ****** to make ********* ***** ***** of ****.  *** **** reason **** ******* *** not ** **** *********** to **** ** ******* ****'* Security ******** ***** ** comparison ** *** ***** and ****** *********.

Manufactures ****** *** ******** ******** ***********

***** ** ****** ******* to ********** ** ******** severity ** ********** ********, information ** *** ******* available ** *** ********, and ** ***** *** shown, ***** *** ****** quickly. ********* *** *** likely ** *** *** existing *******, ** ****** brands ** ****** ********, if * ********* ******* is ***** *** ********* quickly **** **** ************* from *** ************. *** **** may ****** ***** ******* if **** **** *** that *** ************ *** not ******** ****** **** of ******** *** ******* available ***** *** **** exploits.

Comments (3)

Undisclosed

01/25/17 05:37pm

There should be a CVE number for this issue.  The fact there isn't suggests Sony doesn't get CVE's allocated for itself (and nobody shouted loud enough to get the CVE elves to allocate one unilaterally.)  Classic example of an epic fail in answer to the question "what's your cyber security posture".  The fact a flaw existed is almost less disturbing than their denial process.  Although, backdoor passwords have been considered bad for years.

 

So?  How's it' going out there in integrator-land selling vulnerable Sony cameras?

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #1

IPVMU Certified | 01/26/17 01:35am

The Gen6 DES password is easily cracked from the hash in less than two hours.

The real gem here is the revelation of the script syntax surrounding: /debug/start-telnetd-sshd.cgi, which completes the exploit.

This, to my knowledge has not been published by SEC Consult or anyone else, AFAIK.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Undisclosed #1

IPVMU Certified | 01/26/17 05:51pm

Curious, was anyone able to crack the Ipela Gen5 password from this hash?

$1$$mhF8LHkOmSgbD88/WrM790

If so, don't post it, I'm just wondering what the length etc, was actually.  Had a process running for a couple weeks on it with no results.

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 6,938 reports, 926 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports