Sony Misleading Marketing Hides Cracked Backdoor

Avatar
Brian Karas
Published Jan 25, 2017 14:12 PM

Sony is attempting to deemphasize the severity of the backdoor uncovered in Ipela cameras.

Meanwhile, IPVM has verified that the root password for the backdoor has been cracked.

Downplaying the severity of the hard-coded backdoor puts both users, and Sony's brand, at risk, as we explain in this report. 

Sony's *****

**** ***** ** ******* *** *** as "******** ******* ********':

***** *********** ****, **** ** **** describing * ********* ** * ****** to **** ** "******** *********". ** top ** ***, **** ******** ** abstract ***** **** **** *** ** all ****** *** **** ***** ** unpatched ******* ****.

Sony ******* ******* *******

****'* ******-****** ******** *** ******** ********* also **** ** ******* **** ***** with ***** ******** **** ** ******* ******** to ******* **** *******:

Cracked ******** **** ********

**** *** ******* *** ***** *********, the *********** ********* *** ****** *** the **** ******** *** *** *** reveal **** *** *********** ******** ***.

* ********* *** *********** ** *********** firmware ******** **** **** *** *** unencrypted ******** **** ******** *** *** 6 *******, *** ** ******** **** it ******.

** **** ****** ** ******* **** the **** ******** *** ******* **** years ***, *** **** ****** **** public **********, ** *** ****** ******* was ********* ** ******* ******. ***** it ** ******* *** **** *** wide *** ******* **** ******** *** been *****, ***** ****** ** ** doubt **** ** ** *******. 

****: ** *** *** ******* *** backdoor **** ******** ***** ** ** *** easily ********* ****** *** ***** **, in **** *******, ***** ******** **** to **** *****.

Misleading ********* **** ***** ** ****

**** ****** **** **** "********" ******* security ******* **** ***** **** ******** ** ** already ****** ******, ***** ** ********** in **** ****. ********* ******* *** extremely ********, ***** ****** **** ******** might ********** ****** **** **** *** avoid **** ****** ** **** ******* perceive ***** ****** ** ******, *** to ****** ***** ***** **** ******** default ********* ** ******* ** ******** user ********. *******, ***** ******* ****** **** to ****** **** ****** *** *** reach **** *** * *******.

Sony ******* ** ******** ******

****** **'* **** ****'* ***** ******** installed ******* ** ***** **'***** **** ********* **** **** ** Sony ******* *** **** *******, *** interfered **** ***** ***** ** *** computer's *********. ****** ** *** ******** **** ******* had ****** ****** ** ****** *** other ******* **** ** **** ********. ** **** ** ***** ********* Sony's ***** ******** ** ****** **********. While **** ** ***** ********* **** severe, ******* **** ******** ******* ** Sony's ******** ********.

*** ******** ********** ** ***** *******, and ****'* ******* ** *********** **, show *** ******* ********* ******** *** security ** *** *******, *** **** has *** **** ****** ** **** ********* fully ***** ** ****.  *** **** reason **** ******* *** *** ** more *********** ** **** ** ******* ****'* Security ******** ***** ** ********** ** its ***** *** ****** *********.

Manufactures ****** *** ******** ******** ***********

***** ** ****** ******* ** ********** to ******** ******** ** ********** ********, information ** *** ******* ********* ** the ********, *** ** ***** *** shown, ***** *** ****** *******. ********* are *** ****** ** *** *** existing *******, ** ****** ****** ** future ********, ** * ********* ******* is ***** *** ********* ******* **** good ************* **** *** ************. *** **** may ****** ***** ******* ** **** find *** **** *** ************ *** not ******** ****** **** ** ******** and ******* ********* ***** *** **** exploits.

Comments (3)
U
Undisclosed
Jan 25, 2017

There should be a CVE number for this issue.  The fact there isn't suggests Sony doesn't get CVE's allocated for itself (and nobody shouted loud enough to get the CVE elves to allocate one unilaterally.)  Classic example of an epic fail in answer to the question "what's your cyber security posture".  The fact a flaw existed is almost less disturbing than their denial process.  Although, backdoor passwords have been considered bad for years.

 

So?  How's it' going out there in integrator-land selling vulnerable Sony cameras?

U
Undisclosed #1
Jan 26, 2017
IPVMU Certified

The Gen6 DES password is easily cracked from the hash in less than two hours.

The real gem here is the revelation of the script syntax surrounding: /debug/start-telnetd-sshd.cgi, which completes the exploit.

This, to my knowledge has not been published by SEC Consult or anyone else, AFAIK.

(1)
U
Undisclosed #1
Jan 26, 2017
IPVMU Certified

Curious, was anyone able to crack the Ipela Gen5 password from this hash?

$1$$mhF8LHkOmSgbD88/WrM790

If so, don't post it, I'm just wondering what the length etc, was actually.  Had a process running for a couple weeks on it with no results.