Sony IP Camera Backdoor Uncovered

By: Brian Karas, Published on Dec 06, 2016

A backdoor has been uncovered in ~80 Sony IP camera models, attackers can remotely enable telnet on the camera, and then potentially login as root, giving them full access to control the camera.

Sony has issued new firmware for all cameras to fix this issue.

Exploit Overview

SEC Consult disclosed the vulnerability. Researchers analyzing firmware for Sony cameras found hard-coded credentials in the firmware for admin and root accounts. While the Sony cameras do not have telnet enabled by default, further firmware analysis revealed how to cause the camera to enable telnet access through a specially crafted URL.

Once telnet is enabled on the camera, an attacker can login as root and take control of the device.

Root Password Not Cracked - Yet

The password for the root user has not been cracked, though the hashes for it are known. It is expected that the root password will be cracked within a matter of time. Hashes are:

  • root:$1$$mhF8LHkOmSgbD88/WrM790:0:0:5thgen:/root:/bin/sh (Gen5 cameras)
  • root:iMaxAEXStYyd6:0:0:root:/root:/bin/sh (Gen6 cameras)

Devices At Risk

Gen 5 and Gen 6 Sony cameras that can be accessed via network is at risk of having telnet enabled by attackers, all it takes is sending a specific URL request to the camera. For example, for Gen 5:

  • http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=zKw2hEr9 [link no longer available]
  • http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=cPoq2fi4cFk [link no longer available]

Cameras vulnerable include:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Remote attackers would not be able to access the telnet shell, unless port-forwarding was already setup for telnet.  While having telnet open by default is not common, the Mirai botnet propagates via telnet, and have already infected 3 million+ devices.

On local networks attackers could enable telnet and access the camera without issue in most cases. Machines on the same network as the cameras could be used to launch attacks agains the cameras if remote access was available to those machines through VPNs, remote-desktop protocols, or other means.

Firmware Update Links

Firmware for Ipela cameras should be upgraded immediately, doing so before Sony's root password is discovered should reduce risk of this exploit impacting users.

Sony Future

Recently, Sony and Bosch announced a partnership where Sony will provide imaging and Bosch will handle the networking side, which is relevant here. It will be interesting to see how that partnership evolves as Sony, outside of a few high end cameras, has not kept pace with launching new IP cameras over the past three years, as low cost competition has intensified.

5 reports cite this report:

Sony Gen 5 IP Cameras Critical Vulnerabilities on Jul 26, 2018
Cybersecurity vulnerabilities remain prevalent in video surveillance devices. Now Talos researchers have discovered multiple vulnerabilities in...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated regularly. We have summarized exploits by date and by manufacturer,...
Axis 5 Vulnerabilities Examined on Dec 01, 2017
A group of vulnerabilities, including a new discovery from bashis (who previously found one of the Dahua backdoors and the 2016 Axis critical...
Hikvision Firmware Decrypted on Mar 09, 2017
A developer has decrypted Hikvision's firmware, allowing examination of Hikvision's device source code and contents. In this report, we overview...
Sony Misleading Marketing Hides Cracked Backdoor on Jan 25, 2017
Sony is attempting to deemphasize the severity of the backdoor uncovered in Ipela cameras. Meanwhile, IPVM has verified that the root password for...
Comments (26) : Members only. Login. or Join.

Related Reports

Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used that can help zero-in and discover potential Coronavirus hotspots in a...
Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of compressed air may defeat it. With no special training, intruders can...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see, especially because most look and feel the same. Even insecure 125 kHz...
PRC Warns Against China Video Surveillance Hacks, Hikvision Targeted on Feb 14, 2020
Hackers are targeting China video surveillance manufacturers and systems, according to the PRC's main cyber threat monitoring body. The hackers...
BICSI For IP Video Surveillance Guide on Feb 11, 2020
Spend enough time around networks and eventually someone will mention BICSI, the oft-referenced but only vaguely known standards body prevalent in...
Wyze Smart Door Lock Test on Jan 14, 2020
Wyze's inexpensive cameras have grabbed the attention of many in the consumer market, but can the company's new smart lock get similar...
Phone Camera Calculator Released on Mar 10, 2020
IPVM has released the first-ever Phone Calculator, video surveillance design software that you can use on your phone, without installing an...
Camera Course Summer 2020 on Jun 30, 2020
This is the only independent surveillance camera course, based on in-depth product and technology testing. Lots of manufacturer training...
Surveillance Storage 101 on Mar 23, 2020
This guide teaches the fundamentals of video surveillance storage. Inside we cover: Surveillance Storage NVR / Recorder Storage Camera /...
VSaaS 101 on Mar 25, 2020
Video Surveillance as a Service (VSaaS) is the common industry term for cloud video. But what does it mean? How does it all work? Inside this...

Most Recent Industry Reports

ZeroEyes Presents Firearm Detection Video Analytics on Jul 09, 2020
ZeroEyes presented its Firearm detection Video Analytics system at the May 2020 IPVM Startups show. A 30-minute video from ZeroEyes...
Directory of 162 "Fever" Camera Suppliers on Jul 09, 2020
This directory provides a list of "Fever" scanning thermal camera providers to help you see and research what options are available. There are...
Clinton Public View Monitor (PVM) Mask Detection Tested on Jul 09, 2020
Face mask detection, or more specifically not wearing one, is expanding amidst the pandemic. Clinton Electronics has added this capability to their...
These Florida Real Estate Agents Are Now Selling "SafeCheck USA" Temperature Detectors on Jul 09, 2020
The "Kakon Brothers", William and Nathan, are self-described "south Florida Power Agents specializing in Luxury Real Estate" who "have closed over...
Avigilon ACC Cloud Tested on Jul 08, 2020
Avigilon merged Blue and ACC, adding VSaaS features to its on-premise VMS, offering remote video and health monitoring that was previously limited...
Hikvision's India Dominance Faces Threat on Jul 08, 2020
While Hikvision has become a dominant video surveillance provider in India, recent tension between the governments of India and the PRC is...
The US Fight Over Facial Recognition Explained on Jul 08, 2020
The controversy around facial recognition has grown significantly in 2020, with Congress members and activists speaking out against it while video...
Sperry West / Alibaba Tablet Temperature Measurement Tested on Jul 07, 2020
In April, we ordered a ~$500 temperature tablet from Alibaba. We set it to the side while doing 18 other temperature screening tests but, after...
Facial Recognition: Weak Sales, Anti Regulation, No Favorite, Says Security Integrators on Jul 07, 2020
While facial recognition has gained greater prominence, a new IPVM study of security systems integrators shows weak sales, opposition to...