Sony IP Camera Backdoor Uncovered

By: Brian Karas, Published on Dec 06, 2016

A backdoor has been uncovered in ~80 Sony IP camera models, attackers can remotely enable telnet on the camera, and then potentially login as root, giving them full access to control the camera.

Sony has issued new firmware for all cameras to fix this issue.

Exploit Overview

SEC Consult disclosed the vulnerability. Researchers analyzing firmware for Sony cameras found hard-coded credentials in the firmware for admin and root accounts. While the Sony cameras do not have telnet enabled by default, further firmware analysis revealed how to cause the camera to enable telnet access through a specially crafted URL.

Once telnet is enabled on the camera, an attacker can login as root and take control of the device.

Root Password Not Cracked - Yet

The password for the root user has not been cracked, though the hashes for it are known. It is expected that the root password will be cracked within a matter of time. Hashes are:

  • root:$1$$mhF8LHkOmSgbD88/WrM790:0:0:5thgen:/root:/bin/sh (Gen5 cameras)
  • root:iMaxAEXStYyd6:0:0:root:/root:/bin/sh (Gen6 cameras)

Devices At Risk

Gen 5 and Gen 6 Sony cameras that can be accessed via network is at risk of having telnet enabled by attackers, all it takes is sending a specific URL request to the camera. For example, for Gen 5:

  • http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=zKw2hEr9 [link no longer available]
  • http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=cPoq2fi4cFk [link no longer available]

Cameras vulnerable include:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Remote attackers would not be able to access the telnet shell, unless port-forwarding was already setup for telnet.  While having telnet open by default is not common, the Mirai botnet propagates via telnet, and have already infected 3 million+ devices.

On local networks attackers could enable telnet and access the camera without issue in most cases. Machines on the same network as the cameras could be used to launch attacks agains the cameras if remote access was available to those machines through VPNs, remote-desktop protocols, or other means.

Firmware Update Links

Firmware for Ipela cameras should be upgraded immediately, doing so before Sony's root password is discovered should reduce risk of this exploit impacting users.

Sony Future

Recently, Sony and Bosch announced a partnership where Sony will provide imaging and Bosch will handle the networking side, which is relevant here. It will be interesting to see how that partnership evolves as Sony, outside of a few high end cameras, has not kept pace with launching new IP cameras over the past three years, as low cost competition has intensified.

5 reports cite this report:

Sony Gen 5 IP Cameras Critical Vulnerabilities on Jul 26, 2018
Cybersecurity vulnerabilities remain prevalent in video surveillance...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated...
Axis 5 Vulnerabilities Examined on Dec 01, 2017
A group of vulnerabilities, including a new discovery from bashis (who...
Hikvision Firmware Decrypted on Mar 09, 2017
A developer has decrypted Hikvision's firmware, allowing examination of...
Sony Misleading Marketing Hides Cracked Backdoor on Jan 25, 2017
Sony is attempting to deemphasize the severity of the backdoor uncovered in...
Comments (26) : Members only. Login. or Join.

Related Reports

Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Risks Of Managing End User Passwords (Statistics) 2020 on Sep 11, 2020
Alarmingly, most integrators used spreadsheets to manage passwords, IPVM...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
VSaaS 101 on Mar 25, 2020
Video Surveillance as a Service (VSaaS) is the common industry term for cloud...
Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...
Camio Presents Coronavirus Social Distancing Analytics on Apr 20, 2020
Camio presented its social distancing analytics for responding to coronavirus...
Camera Course Summer 2020 - Last Chance on Jul 18, 2020
This is your last chance to register for the Summer 2020 Camera Course. This...
Hikvision Impossible 30 People Simultaneously Fever Claim Dupes Baldwin Alabama on Sep 01, 2020
The Alabama school district which spent $1 million on Hikvision fever cameras...
ZKTeco Presents SpeedFace Recognition + Body Temperature Detection on Apr 21, 2020
ZKTeco presented its SF1008+ reader with body temperature and face mask...
ISC News Fakes Fever Screening, Falsely Quotes FDA on Jun 18, 2020
ISC News, the Reed publication behind the ISC East and West trade shows, has...
Video Surveillance 101 Book Released on Jul 07, 2020
IPVM's unique introduction to video surveillance series is now available as a...
Startup Solink $17 Million USD Fund Raise Expands To Mass Market on Jun 24, 2020
Solink has raised ~$17 million USD, a sizeable round for the company that...

Recent Reports

FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...
China Bems Temperature Measurement Terminal Tested on Sep 22, 2020
Guangzhou Bems (brand Benshi) is the manufacturer behind temperature...
Axis Exports To China Police Criticized By Amnesty International on Sep 21, 2020
Axis Communications and other EU surveillance providers are under fire from...
Milestone XProtect on AWS Tested on Sep 21, 2020
Milestone finally launched multiple cloud solutions in 2020, taking a...
Mobile Access Control Usage Statistics 2020 on Sep 21, 2020
Most smartphones can be used as access control credentials, but how...
Axis Compares Fever Camera Sellers to 9/11 on Sep 18, 2020
Axis Communications, the West's largest surveillance camera manufacturer, has...
Avigilon Elevated Temperature Detection Camera Tested on Sep 17, 2020
Avigilon has entered the temperature screening market with the release of...
Chilean Official Investigated for Motorola And Hikvision Contracts on Sep 17, 2020
A corruption investigation is underway in Chile after a crime prevention...
Huawei HiSilicon Production Shut Down on Sep 17, 2020
Huawei HiSilicon chips are no longer being manufactured or supplied to...
Virtual ISC West and GSX+ Exhibiting Contrasted on Sep 17, 2020
Both ISC West and ASIS GSX are going virtual this year, just weeks apart, but...
X.Labs Sues FLIR on Sep 16, 2020
X.Labs, the maker of Feevr, has sued FLIR, the publicly traded thermal...
Video Surveillance 101 September Course - Last Chance on Sep 16, 2020
Today is the last chance to sign up for the Fall Video Surveillance 101...
No Blackbody Mistake, Half Million Dollar, Hikvision Fever Camera System in Georgia on Sep 16, 2020
A Georgia school district touted buying Hikvision fever screening "about...
Costar Technologies / Arecont H1 2020 Financials Examined on Sep 16, 2020
Costar's financial results have been hit by the coronavirus with the company...
Startup Cawamo Presents Live Alerts With Edge AI and Cloud VMS on Sep 15, 2020
Cawamo, an Israeli edge-to-cloud analytics and VMS startup, presented its...