Sony IP Camera Backdoor UncoveredBy: Brian Karas, Published on Dec 06, 2016
A backdoor has been uncovered in ~80 Sony IP camera models, attackers can remotely enable telnet on the camera, and then potentially login as root, giving them full access to control the camera.
Sony has issued new firmware for all cameras to fix this issue.
SEC Consult disclosed the vulnerability. Researchers analyzing firmware for Sony cameras found hard-coded credentials in the firmware for admin and root accounts. While the Sony cameras do not have telnet enabled by default, further firmware analysis revealed how to cause the camera to enable telnet access through a specially crafted URL.
Once telnet is enabled on the camera, an attacker can login as root and take control of the device.
Root Password Not Cracked - Yet
The password for the root user has not been cracked, though the hashes for it are known. It is expected that the root password will be cracked within a matter of time. Hashes are:
- root:$1$$mhF8LHkOmSgbD88/WrM790:0:0:5thgen:/root:/bin/sh (Gen5 cameras)
- root:iMaxAEXStYyd6:0:0:root:/root:/bin/sh (Gen6 cameras)
Devices At Risk
Gen 5 and Gen 6 Sony cameras that can be accessed via network is at risk of having telnet enabled by attackers, all it takes is sending a specific URL request to the camera. For example, for Gen 5:
- http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=zKw2hEr9 [link no longer available]
- http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=cPoq2fi4cFk [link no longer available]
Cameras vulnerable include:
Remote attackers would not be able to access the telnet shell, unless port-forwarding was already setup for telnet. While having telnet open by default is not common, the Mirai botnet propagates via telnet, and have already infected 3 million+ devices.
On local networks attackers could enable telnet and access the camera without issue in most cases. Machines on the same network as the cameras could be used to launch attacks agains the cameras if remote access was available to those machines through VPNs, remote-desktop protocols, or other means.
Firmware Update Links
Firmware for Ipela cameras should be upgraded immediately, doing so before Sony's root password is discovered should reduce risk of this exploit impacting users.
Recently, Sony and Bosch announced a partnership where Sony will provide imaging and Bosch will handle the networking side, which is relevant here. It will be interesting to see how that partnership evolves as Sony, outside of a few high end cameras, has not kept pace with launching new IP cameras over the past three years, as low cost competition has intensified.