Backdoor Vulnerabilities Found in Over 80 Sony IP Camera Models
Several models of security camera made by Sony could be hacked by attackers, researchers have discovered. The security research firm SEC Consult said that the security flaw allows criminal hackers to remotely execute code, hijack vulnerable cameras, and spy on users. These security cameras can also be infected with botnet malware if they are not updated to the latest firmware version.
Similar to how a large number of cameras and other IoT devices were used in the Mirai botnet to launch massive cyber attacks in the last two months, compromised Sony IP cameras can also be added to botnets.
Backdoor accounts discovered in Sony IP camera models
This critical security flaw lies in two backdoor accounts that exist in 80 models of professional Sony security cameras, predominantly used by government and businesses thanks to their high price tag. These backdoors allow attackers to enable the Telnet/SSH service remotely. Once in, attackers can use a secondary backdoor leading to root privileges. The second uses a hard-coded password for the root account that attackers can take over to get full control of the camera over Telnet.
“We believe that this backdoor was introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing) and not an unauthorized third party,” the research team said. “We have asked Sony some questions regarding the nature of the backdoor, intended purpose, when it was introduced and how it was fixed, but they did not answer.”
Earlier in October, a huge DDoS cyberattack was launched taking down large swaths of the internet. Mirai-based botnet used compromised IP cameras to launch the attack, after which a Chinese webcam maker had to issue a product recall.
“An attacker can use cameras to take a foothold in a network and launch further attacks, disrupt camera functionality, send manipulated images/video, add cameras into a Mirai-like botnet, or to just simply spy on you,” researchers warned.
Before publishing their findings, SEC Consult informed Sony about this vulnerability and the camera maker has now released a new firmware update (link here) that fixes the security bugs. Users are strongly recommended to install these updates to avoid being a target of hackers or botnets.