Security firm SEC Consult has uncovered two backdoor accounts in Sony Ipela Engine IP Cameras, which could make them vulnerable to outside attacks.
According to SEC, the user accounts – “primana” and “debug” – could be used by remote attackers to take over the web server built into the cameras, and then enable telnet, which is a network protocol that allows a user on one computer to log into another computer on the same network. This is the same method used by Mirai, which scans the internet for IoT devices that have telnet enabled and are protected by factory default passwords.
“We believe that this backdoor was introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing) and not an “unauthorized third party” like in other cases,” SEC wrote in a recent blog post.
There are other undocumented functionalities in the Sony IP cameras that could be abused by attackers, such as commands that can be activated to distort images and video footage, and a camera heating feature that could be exploited to overheat the devices, Johannes Greil from SEC’s Vulnerability Lab told KrebsonSecurity.
According to Greil, it is likely that the backdoor accounts have been present in Sony cameras for at least four years, and there are signs that someone may have discovered them back in 2012 and attempted to crack the passwords.
After being informed about the vulnerabilities by SEC, Sony released a firmware update to disable the backdoor accounts on its cameras. Users will need to use SNC Toolbox to complete the update.
Meanwhile, researchers at Cybereason claim to have uncovered vulnerabilities in a range of IP camera families that are white-labelled under many different brands available on eBay and Amazon. According to the security firm, these devices all have the password “888888” and are easily remotely accessed over the internet, due to a factory-default P2P communications capability that enables remote cloud access to the devices if a user visits the manufacturer’s website and is able to provide the unique code stamped on the bottom of the devices.
The CEO of Cybereason, Lior Div, has advised users to simply dispose of these devices.
The security firm offers an online tool for customers to determine whether their security camera is vulnerable to outside attacks.