Sony IP Camera Backdoor Uncovered

By: Brian Karas, Published on Dec 06, 2016

A backdoor has been uncovered in ~80 Sony IP camera models, attackers can remotely enable telnet on the camera, and then potentially login as root, giving them full access to control the camera.

Sony has issued new firmware for all cameras to fix this issue.

Exploit Overview

SEC Consult disclosed the vulnerability. Researchers analyzing firmware for Sony cameras found hard-coded credentials in the firmware for admin and root accounts. While the Sony cameras do not have telnet enabled by default, further firmware analysis revealed how to cause the camera to enable telnet access through a specially crafted URL.

Once telnet is enabled on the camera, an attacker can login as root and take control of the device.

Root Password Not Cracked - Yet

The password for the root user has not been cracked, though the hashes for it are known. It is expected that the root password will be cracked within a matter of time. Hashes are:

  • root:$1$$mhF8LHkOmSgbD88/WrM790:0:0:5thgen:/root:/bin/sh (Gen5 cameras)
  • root:iMaxAEXStYyd6:0:0:root:/root:/bin/sh (Gen6 cameras)

Devices At Risk

Gen 5 and Gen 6 Sony cameras that can be accessed via network is at risk of having telnet enabled by attackers, all it takes is sending a specific URL request to the camera. For example, for Gen 5:

Cameras vulnerable include:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Remote attackers would not be able to access the telnet shell, unless port-forwarding was already setup for telnet.  While having telnet open by default is not common, the Mirai botnet propagates via telnet, and have already infected 3 million+ devices.

On local networks attackers could enable telnet and access the camera without issue in most cases. Machines on the same network as the cameras could be used to launch attacks agains the cameras if remote access was available to those machines through VPNs, remote-desktop protocols, or other means.

Firmware Update Links

Firmware for Ipela cameras should be upgraded immediately, doing so before Sony's root password is discovered should reduce risk of this exploit impacting users.

Sony Future

Recently, Sony and Bosch announced a partnership where Sony will provide imaging and Bosch will handle the networking side, which is relevant here. It will be interesting to see how that partnership evolves as Sony, outside of a few high end cameras, has not kept pace with launching new IP cameras over the past three years, as low cost competition has intensified.

5 reports cite this report:

Sony Gen 5 IP Cameras Critical Vulnerabilities on Jul 26, 2018
Cybersecurity vulnerabilities remain prevalent in video surveillance devices. Now Talos researchers have discovered multiple vulnerabilities in...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated regularly. We have summarized exploits by date and by manufacturer,...
Axis 5 Vulnerabilities Examined on Dec 01, 2017
A group of vulnerabilities, including a new discovery from bashis (who previously found one of the Dahua backdoors and the 2016 Axis critical...
Hikvision Firmware Decrypted on Mar 09, 2017
A developer has decrypted Hikvision's firmware, allowing examination of Hikvision's device source code and contents. In this report, we overview...
Sony Misleading Marketing Hides Cracked Backdoor on Jan 25, 2017
Sony is attempting to deemphasize the severity of the backdoor uncovered in Ipela cameras. Meanwhile, IPVM has verified that the root password for...
Comments (26) : PRO Members only. Login. or Join.

Related Reports on Hacking

Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Register Now - Fall 2019 IP Networking Course on May 02, 2019
Register for the Fall 2019 IP Networking Course. For early registration save $50 off the course's normal $299 price. This is the only networking...
Locking Down Network Connections Guide on Apr 23, 2019
Accidents and inside attacks are risks when network connections are not locked down. Security and video surveillance systems should be protected...
Silicon Valley Cybersecurity Insurance Startup Coalition Profile on Mar 20, 2019
Many industry people believe cybersecurity insurance is not worth it, as the voting and debate in our Cybersecurity Insurance For Security...
Hikvision Favorability Results 2019 on Mar 18, 2019
Hikvision favorability results declined significantly in IPVM's 2019 study of 200+ integrators. While in 2017 Hikvision's favorability was...
Bosch VDOO 2018 Vulnerability on Dec 20, 2018
Security research firm VDOO has discovered a critical vulnerability in Bosch IP cameras. Inside, we cover the available details of this new...
Genetec UL Cybersecurity Certificate (2900-2-3) Examined on Dec 19, 2018
Proving a company is cybersecure has become a major concern for security companies. But how trustworthy are these certificates? Earlier in 2018, a...
No GDPR Penalties For UK Swann 'Spying Hack' on Nov 20, 2018
The UK’s data protection agency has closed its investigation into Infinova-owned Swann Security UK, the ICO confirmed to IPVM, deciding to take “no...
HID: Stop Selling Cracked 125 kHz Credentials on Nov 05, 2018
HID should stop selling cracked 125 kHz access control credentials, that have been long cracked and can easily be copied by cheap cloners sold on...

Most Recent Industry Reports

TMA Apologizes to Amazon / Ring on Aug 23, 2019
Not only is Amazon / Ring making major incursions into the residential security market, the organization representing the biggest incumbents, The...
China Dahua Replaces Their Software With US Pepper on Aug 22, 2019
What does a US government banned company do to improve its security positioning in the US? Well, Dahua is unveiling a novel solution, partnering...
Security Integrators Outlook On Remaining Integrators In 2025 on Aug 22, 2019
The industry has changed substantially in the last decade, with the rise of IP cameras and the race to the bottom. Indeed, more changes may be...
First GDPR Facial Recognition Fine For Sweden School on Aug 22, 2019
A school in Sweden has been fined $20,000 for using facial recognition to keep attendance in what is Sweden's first GDPR fine. Notably, the fine is...
Anyvision Facial Recognition Tested on Aug 21, 2019
Anyvision is aiming for $1 billion in revenue by 2022, backed by $74 million in funding. But does their performance live up to the hype they have...
JCI Sues Wyze on Aug 21, 2019
The mega manufacturer / integrator JCI has sued the fast-growing $20 camera Seattle startup Wyze. Inside this note: Share the court...
Dahua 4K Camera Shootout on Aug 20, 2019
Dahua's new Pro Series 4K N85CL5Z claims to "deliver superior images in all lighting and environmental conditions", but how does this compare to...
ZK Teco Atlas Access Control Tested on Aug 20, 2019
Who needs access specialists? China-based ZKTeco claims its newest access panel 'makes it very easy for anyone to learn and install access control...
Uniview Beats Intel In Trademark Lawsuit on Aug 19, 2019
Uniview has won a long-running trademark lawsuit brought by Intel, with Beijing's highest court reversing an earlier Intel win, centered on...
Suprema Biometric Mass Leak Examined on Aug 19, 2019
While Suprema is rarely discussed even within the physical security market, the South Korean biometrics manufacturer made global news this past...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact