Sony IP Camera Backdoor Uncovered

By Brian Karas, Published Dec 06, 2016, 10:26am EST

A backdoor has been uncovered in ~80 Sony IP camera models, attackers can remotely enable telnet on the camera, and then potentially login as root, giving them full access to control the camera.

Sony has issued new firmware for all cameras to fix this issue.

Exploit Overview

SEC Consult disclosed the vulnerability. Researchers analyzing firmware for Sony cameras found hard-coded credentials in the firmware for admin and root accounts. While the Sony cameras do not have telnet enabled by default, further firmware analysis revealed how to cause the camera to enable telnet access through a specially crafted URL.

Once telnet is enabled on the camera, an attacker can login as root and take control of the device.

Root Password Not Cracked - Yet

The password for the root user has not been cracked, though the hashes for it are known. It is expected that the root password will be cracked within a matter of time. Hashes are:

  • root:$1$$mhF8LHkOmSgbD88/WrM790:0:0:5thgen:/root:/bin/sh (Gen5 cameras)
  • root:iMaxAEXStYyd6:0:0:root:/root:/bin/sh (Gen6 cameras)

Devices At Risk

Gen 5 and Gen 6 Sony cameras that can be accessed via network is at risk of having telnet enabled by attackers, all it takes is sending a specific URL request to the camera. For example, for Gen 5:

  • http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=zKw2hEr9 [link no longer available]
  • http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=cPoq2fi4cFk [link no longer available]

Cameras vulnerable include:

Join IPVM Newsletter?

IPVM is the #1 authority in video surveillance news, in-depth tests, and training courses. Get emails, once a day, Monday to Friday.

Remote attackers would not be able to access the telnet shell, unless port-forwarding was already setup for telnet.  While having telnet open by default is not common, the Mirai botnet propagates via telnet, and have already infected 3 million+ devices.

On local networks attackers could enable telnet and access the camera without issue in most cases. Machines on the same network as the cameras could be used to launch attacks agains the cameras if remote access was available to those machines through VPNs, remote-desktop protocols, or other means.

Firmware Update Links

Firmware for Ipela cameras should be upgraded immediately, doing so before Sony's root password is discovered should reduce risk of this exploit impacting users.

Sony Future

Recently, Sony and Bosch announced a partnership where Sony will provide imaging and Bosch will handle the networking side, which is relevant here. It will be interesting to see how that partnership evolves as Sony, outside of a few high end cameras, has not kept pace with launching new IP cameras over the past three years, as low cost competition has intensified.

5 reports cite this report:

Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on Jul 29, 2021
Cybersecurity vulnerabilities have escalated over the past few years and...
Sony Gen 5 IP Cameras Critical Vulnerabilities on Jul 26, 2018
Cybersecurity vulnerabilities remain prevalent in video surveillance...
Axis 5 Vulnerabilities Examined on Dec 01, 2017
A group of vulnerabilities, including a new discovery from bashis (who...
Hikvision Firmware Decrypted on Mar 09, 2017
A developer has decrypted Hikvision's firmware, allowing examination of...
Sony Misleading Marketing Hides Cracked Backdoor on Jan 25, 2017
Sony is attempting to deemphasize the severity of the backdoor uncovered in...
Comments (26) : Subscribers only. Login. or Join.
Loading Related Reports