Backdoors in Sony IP Cameras Make Them Mirai-VulnerableBotnet-Building IoT Malware Could Easily Infect Dozens of Model Types
An information security consultancy says it has found three secret backdoors in more than 80 Sony IP cameras models that remote attackers could exploit to seize control of the devices.
Austria-based SEC Consult warns that there's a high chance that the cameras could be infected with the Mirai botnet code, which has infected millions of internet-of-things devices and been used to execute devastating distributed denial-of-service attacks (see Mirai Botnet Pummels Internet DNS in Unprecedented Attack).
But the vulnerabilities could also be used in more discreet ways, such as turning the cameras off or tapping into video streams to spy on people.
The software vulnerabilities and weaknesses affect Sony's IPELA Engine IP cameras, which are aimed at enterprise users. Sony has published an advisory detailing the vulnerable models and recommending the latest firmware version should be installed.
In a confidential document distributed by Sony to customers and obtained by Information Security Media Group, the Japanese multinational company says it has not detected any "damage" to its products as of Nov. 28. The document has not been publicly released.
Risk of Remote Exploitation
But here's the risk, according to SEC Consult's detailed security advisory: When set to their default configurations, the cameras are exploitable over the local network, and if the web interface is exposed to the internet, remote exploitation is also possible.
Sony says it is "grateful to SEC Consult for their assistance in enhancing network security for our network cameras." Sony officials that have been in touch with SEC Consult couldn't be reached for comment.
The consultancy's findings have been adding to experts' fears that many Linux-powered internet-connected devices running with loose security controls will remain a long-term problem if manufacturers don't improve their quality control.
Johannes Greil, a senior security consultant and head of SEC Consult's Vulnerability Lab, says his company hopes that vendors get their act together "and make more secure products out of the box and not actually harm their users."
Assessing Security of Devices
To help IoT device users assess the security of their devices, SEC Consult has developed a tool called IoT Inspector that analyzes the devices' firmware - the relatively simple software that manages software and hardware interfaces on computers and devices.
Thankfully, Sony didn't make that all-too-common IoT manufacturer error of leaving remote access protocols such as telnet and SSH directly accessible from the internet. That's what resulted in the fast spread of the first incarnation of Mirai in September, as the malware sought out internet-facing devices and tried dozens of well-known default login credentials for accessible services to successfully seize control of numerous devices (see Can't Stop the Mirai Malware).
But the telnet and SSH protocols are still present in the IPELA Engine IP cameras. And SEC Consult found a way to reach them, thanks to other errors made by Sony.
For example, it's common for software developers to leave remote access accounts in software for debugging purposes, but it's considered a bad security practice because such accounts can be used to bypass device security. SEC Consult found three such accounts in the firmware, including one that allows for root access, which it's labeling a "backdoor" because the account isn't documented by Sony.
Hashes of the access credentials were also found by SEC Consult, which the company was able to crack. The Sony cameras run a web server called lighttpd. SEC Consult found it could use one set of access credentials to remotely access the web server and then start telnet. After that, an attacker would only need to upload Mirai malware to the camera to turn it into a botnet node.
An even more dangerous flaw, however, stemmed from SEC Consult uncovering the hash for the IP cameras' hardcoded root password. "We have not invested much time into cracking it, but cracking it is only a matter of time and computing power," SEC Consult's Greil says.
Once cracked, that password would give remote attackers access to a Linux shell and thus enable them to take full control of a device, overwrite the firmware with code of their own design, sniff all traffic flowing over the device and more.
Not Easy To Fix
While these problems have been identified, and Sony has released updated firmware, there's a catch: It appears that owners of the cameras will need to manually install the firmware updates. Greil says that involves using Sony's SNC Toolbox and rebooting cameras.
That's problematic because the cameras are usually plugged in and forgotten and are sometimes be placed in remote or difficult-to-reach locations. On the other hand, because these cameras are sold to enterprises, administrators may be more diligent in applying these must-have security fixes.
The firmware update takes between 10 to 20 minutes to install, according to Sony's confidential document.
Whether these vulnerable devices get patched at all, however, also depends on how well Sony can warn users that their devices contain known vulnerabilities, which relies in part on administrators having bothered to register the cameras with Sony.
Greil says SEC Consult hasn't yet vetted Sony's updated firmware, and notes that SEC Consult is still waiting for answers to multiple questions, such as how the backdoor accounts ended up in Sony's code. And he's criticized Sony's notification to users, contending that it doesn't allow affected customers "to make an informed decision about whether the risk justified an unscheduled patch."
Greil adds: "We had more questions to Sony in this regard, but they did not answer our inquiries."