Sony kills off secret backdoor in 80 internet-connected CCTV models

Magic 'secret key' HTTP request opens up admin control

Sony has killed off what, charitably, looks like a debug backdoor in 80 of its web-connected surveillance cameras that can be exploited to hijack the devices.

The hardcoded logins can be potentially used by malware, such as variants of the Mirai bot and its ilk, to automatically and silently commandeer swathes of Sony-built CCTV cams on the internet – and use the gadgets to launch attacks on other systems or spy on their owners. The vulnerable gizmos are branded Sony Professional Ipela Engine IP cameras.

The backdoor was discovered by Stefan Viehböck of Austrian infosec outfit SEC Consult in October, reported to Sony and disclosed today. Firmware updates to kill off the vulnerability are already available from sony.co.uk. "We are grateful to SEC Consult for their assistance in enhancing network security for our network cameras," Sony said.

The firmware contains two hardcoded, permanently enabled accounts in the builtin web-based admin console: debug with the password popeyeConnection, and primana with the password primana. The latter, coupled with magic strings in the URL, unlocks telnet access, potentially granting administrative access to the camera via a command line. Later models can open an SSH server, too.

For example, the following URLs, once sent to a vulnerable web-facing device, will enable telnet access:

http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=zKw2hEr9
http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=cPoq2fi4cFk

This triggers the prima-factory.cgi program in Sony's fifth-generation Ipela Engine cameras to open the backdoor by starting inetd, which is configured to run a telnet daemon on port 23. Sixth-generation cams use the magic string "himitunokagi", which is Japanese for "secret key". Once the telnet or SSH service is active, you can login as root and get command-line-level access to the operating system if you can crack these password hashes:

$1$$mhF8LHkOmSgbD88/WrM790 (gen-5 models)
iMaxAEXStYyd6 (gen-6 models)

SEC Consult reckons the hashes will be cracked by miscreants soon enough, thus revealing the hardcoded root login password. Therefore, it's recommended firmware updates are applied to at-risk cameras before they are infected by hackers who have discovered the backdoor password.

"We have not invested much time into cracking the root password, but this is only a matter of time and computing power, so eventually it will be cracked by someone," Johannes Greil, head of SEC Consult's Vulnerability Lab, told The Register.

"We want vendors to get their act together and make more secure products out of the box and not actually harm their users with insecure IoT products. Publishing the root account password and making the devices an instant Mirai-botnet target is of no good to anyone."

The devices also have a default username and password combo of admin:admin for the web-based admin console. Besides this, the primana account hardwired into the builtin web server gives you access to device testing and calibration features, and the debug account opens up other features SEC Consult has yet to explore.

The affected models use firmware version 1.82.01 or earlier if they are fifth generation, or 2.7.0 or earlier if they are sixth generation. Firmware versions 1.86.00 and 2.7.2 contain the fixes, we're told. Specifically, if you have any of the following models, you should check if you have the latest firmware installed:

SNC-CX600, SNC-CX600W, SNC-EB600, SNC-EB600B, SNC EB602R, SNC-EB630, SNC-EB630B, SNC-EB632R, SNC-EM600, SNC-EM601, SNC-EM602R, SNC-EM602RC, SNC-EM630, SNC-EM631, SNC-EM632R, SNC-EM632RC, SNC-VB600, SNC-VB600B, SNC-VB600B5, SNC-VB630, SNC-VB6305, SNC-VB6307, SNC-VB632D, SNC-VB635, SNC-VM600, SNC-VM600B, SNC-VM600B5, SNC-VM601, SNC-VM601B, SNC-VM602R, SNC-VM630, SNC-VM6305, SNC-VM6307, SNC-VM631, SNC-VM632R, SNC-WR600, SNC-WR602, SNC-WR602C, SNC-WR630, SNC-WR632, SNC-WR632C, SNC-XM631, SNC-XM632, SNC-XM636, SNC-XM637, SNC-VB600L, SNC-VM600L, SNC-XM631L, SNC-WR602CL, SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120, SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520, SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551, SNC-EP550, SNC-EP580, SNC-ER550, SNC-ER550C, SNC-ER580, SNC-ER585, SNC-ER585H, SNC-ZP550, SNC-ZR550, SNC-EP520, SNC-EP521, SNC-ER520, SNC-ER521, and SNC-ER521C.

"SEC Consult recommends you not to use these products until a thorough security review has been performed by security professionals," the infosec biz warns. ®


Biting the hand that feeds IT © 1998–2017