Sony released firmware updates for security cameras to address a critical vulnerability that can end up exploited.
The flaw, discovered by IT security services and consulting company SEC Consult, affects 80 Sony SNC series IP cameras that feature the company’s IPELA ENGINE signal processing system. These professional products end up used by global organizations.
An analysis revealed the firmware for Sony IPELA ENGINE IP cameras contains hardcoded password hashes for the admin and root users. Researchers only cracked the admin password, which is “admin,” but they believe the root password can also end up easily obtained.
Researchers also discovered a CGI binary (prima-factory.cgi) that allows a remote user to enable the Telnet service on a device by sending it a specially crafted HTTP request. The request needs to include authentication data, but the username and password (primana/primana) can end up found in plain text in a file.
An attacker can use these credentials to send a request to prima-factory.cgi and enable the Telnet service, and then leverage the root account to gain remote access with elevated privileges.
SEC Consult said the “primana” user account, which is effectively a backdoor, appears to have been introduced on purpose by Sony for device testing. Experts also uncovered a similar account named “debug” with the password “popeyeConnection,” but its functionality has not been analyzed.
“We believe that this backdoor was introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing) and not an ‘unauthorized third party’ like in other cases (e.g. the Juniper ScreenOS Backdoor, CVE-2015-7755),” SEC Consult researchers said in a blog post.
Once they gain root access to the device, attackers can carry out various actions, such as disrupting camera functionality, spying on the user, manipulating videos, breaching the network that houses the camera, and infecting it.
The vulnerability can be exploited by an attacker with network access or over the Internet if the camera’s web interface is exposed. An online search shows roughly 4,000 cameras accessible from the Internet, including the United States and Germany, but experts believe the actual number is likely much higher.
The following camera models suffer from the issue:
SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120, SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520, SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551, SNC-EP550, SNC-EP580, SNC-ER550, SNC-ER550C, SNC-ER580, SNC-ER585, SNC-ER585H, SNC-ZP550, SNC-ZR550, SNC-EP520, SNC-EP521, SNC-ER520, SNC-ER521, SNC-ER521C, SNC-CX600, SNC-CX600W, SNC-EB600, SNC-EB600B, SNC-EB602R, SNC-EB630, SNC-EB630B, SNC-EB632R, SNC-EM600, SNC-EM601, SNC-EM602R, SNC-EM602RC, SNC-EM630, SNC-EM631, SNC-EM632R, SNC-EM632RC, SNC-VB600, SNC-VB600B, SNC-VB600B5, SNC-VB630, SNC-VB6305, SNC-VB6307, SNC-VB632D, SNC-VB635, SNC-VM600, SNC-VM600B, SNC-VM600B5, SNC-VM601, SNC-VM601B, SNC-VM602R, SNC-VM630, SNC-VM6305, SNC-VM6307, SNC-VM631, SNC-VM632R, SNC-WR600, SNC-WR602, SNC-WR602C, SNC-WR630, SNC-WR632, SNC-WR632C, SNC-XM631, SNC-XM632, SNC-XM636, SNC-XM637, SNC-VB600L, SNC-VM600L, SNC-XM631L, SNC-WR602CL.