If you have a Sony network-connected CCTV camera, you may have a security problem. Researchers at SEC Consult uncovered a backdoor in Sony IP cameras that could allow a hacker to remotely execute malicious code, spy on users, brick devices, or recruit them into a DDoS botnet. As the vandal-resistant Sony IPELA Engine IP cameras at the centre of the security scare are largely used by big businesses and authorities to protect people and property, you would be right to wonder how owners of the vulnerable devices would feel if they knew their security cameras had been hijacked by an unknown party. A critical security hole allows an attacker to remotely enable the Sony IP cameras' Telnet/SSH service, opening an opportunity to grab root privileges. Predictably, the vulnerability can be exploited because the cameras have factory default passwords hardcoded into their firmware - allowing anyone in the world to log into them if the devices are accessible via the internet. Stefan Viehböck led the research team, which used an internet-based analysis system called IoT Inspector to examine a firmware update issued by Sony. Within minutes it had ascertained that Sony's update code contained two password hashes, one of which - "admin" - was cracked immediately. The use of "admin" as a password was, sadly, no particular surprise. After all, the admin password was also hardcoded to be... you guessed it... "admin".
It is presumed that, given time, the root password would also be cracked. SEC Consult informed Sony of the backdoor in October, and firmware updates were released for all of the affected camera models at the end of last month. With the current wave of IoT-powered DDoS attacks, exploiting poorly-secured webcams and other devices, it should go without saying that users should apply the firmware update as a matter of priority. Sony would not confirm the reason why the backdoor into its cameras existed, but researchers believe the most likely explanation is that it may have been introduced as way to allow the company to debug the device during development, or for testing during the manufacturing process. However, the company did say that it was "grateful to SEC Consult for their assistance in enhancing network security" for its products. And, to be fair, it appears that Sony responded reasonably quickly after being informed of the problem. It's certainly not always the case that manufacturers act so responsibly. For instance, a research team at Cybereason has claimed this week that a pair of two high profile vulnerabilities they found in a wide variety of IP surveillance cameras two years ago have been ignored by manufacturers, leaving devices open to authentication bypass and web server command injection. According to Cybereason, the makers of webcams just aren't taking security seriously enough:
"Most of the cameras run older versions of Linux, like version 2.6.26, while a few run the most recent version from around 3.0 and up. While the OS is somewhat modern, all the cameras were running extremely old and vulnerable software, especially programs that people use to connect to the Internet. The Web server software found in many of the cameras, for example, was from around 2002."
It is clear that too many vulnerabilities in too many web-connected devices are going unpatched. 2017 is going to see a rise in IoT security issues unless manufacturers start to do a seriously better job of protecting their devices from attack. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
