Multiple Backdoors Found In Sony’s 'IPELA Engine' IP Cameras

SEC Consult, a European security company, uncovered a backdoor in 80 Sony IPELA Engine IP camera models. This latest discovery shows, once again, that it is universally a bad idea to have a backdoor in software and devices--no matter what the intentions are behind it. Sony has since fixed the backdoor with a firmware update, but it highlights the problems created by using a backdoor.

SNCVM602R - one of the affected Sony IP cameras

Whether a company creates a backdoor accidentally (bugs or debugging tools left enabled in shipping products), for law enforcement purposes (“legal intercept”), for user convenience (“admin/admin” type of default credentials), or maliciously, they always end up being discovered by bad actors. The attackers use the backdoors to infect the devices with malware, steal data, or use the device in botnets, which are then used to attack small or large services for fun or profit.

Hardcoded Passwords And Root Account

Sony is learning the same lesson after SEC Consult did a routine analysis of Sony’s surveillance camera firmware while testing its IoT Inspector tool for security weaknesses in IoT firmware. The security company discovered that Sony was using hardcoded default passwords, which the security community frowns upon because it leads to problems (such as millions of IoT devices being taken over by botnets).

However, this wasn’t the biggest problem with Sony’s cameras. The company also found an undocumented Sony root password, which means it was supposed to be hidden from the public. The root account can give access to unauthorized users to do whatever they want with the devices, both locally and remotely, but the company disabled remote access by default.

Debugging Accounts

The problems didn’t end there. The researchers also found two debugging accounts that Sony left in the firmware, seemingly for troubleshooting purposes. One account with the username “primana” and password “primana” seems to have been used for device calibration and factory testing. The other account, “debug,” had the password “popeyeConnection,” but the security company didn’t analyze it further.

Sony used hardcoded passwords, and it was only a matter of time before someone discovered them. The passwords seem easy to bruteforce; Sony could’ve at least used stronger passwords for the debugging accounts.

These two accounts were also accessible remotely, and they could have been used to enable remote access to the root account. That could have given full remote control of the device to any potential attacker. The researchers said they didn’t try to bruteforce the root account’s password, but considering how weak the other account passwords are, it could probably be cracked easily by a malicious attacker.

SEC Consult said that it had asked Sony about the purpose of the backdoor accounts and how it fixed them, but the company did not answer.

We’ve included all of the affected models in this list:

SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120, SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520, SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551SNC-EP550, SNC-EP580, SNC-ER550, SNC-ER550C, SNC-ER580, SNC-ER585, SNC-ER585H, SNC-ZP550, SNC-ZR550SNC-EP520, SNC-EP521, SNC-ER520, SNC-ER521, SNC-ER521CSNC-CX600, SNC-CX600W, SNC-EB600, SNC-EB600B, SNC-EB602R, SNC-EB630, SNC-EB630B, SNC-EB632R, SNC-EM600, SNC-EM601, SNC-EM602R, SNC-EM602RC, SNC-EM630, SNC-EM631, SNC-EM632R, SNC-EM632RC, SNC-VB600, SNC-VB600B, SNC-VB600B5, SNC-VB630, SNC-VB6305, SNC-VB6307, SNC-VB632D, SNC-VB635, SNC-VM600, SNC-VM600B, SNC-VM600B5, SNC-VM601, SNC-VM601B, SNC-VM602R, SNC-VM630, SNC-VM6305, SNC-VM6307, SNC-VM631, SNC-VM632R, SNC-WR600, SNC-WR602, SNC-WR602C, SNC-WR630, SNC-WR632, SNC-WR632C, SNC-XM631, SNC-XM632, SNC-XM636, SNC-XM637, SNC-VB600L, SNC-VM600L, SNC-XM631L, SNC-WR602CL

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • DalaiLamar
    All your data will be channeled to the evil Abe government.
    Reply
  • LeeRains
    Why is Sony always at the center of hacks, leaks, breeches, backdoors, rootkits... They seem incapable of learning anything from their past experiences when it comes to privacy and security (their's and other's).
    Reply
  • Zaxx420
    So a multi-multi billion dollar corp. isn't capable of maintaining a team or teams of white hat hackers to screen (attempt to hack) sony products before selling millions worldwide? wow...just wow. smh
    Reply
  • rantoc
    IoT, a bazzilion soon to become cancer cells on the internet. Some only need a nudge, other need a kick but in the end the result will in most cases be the same - Unless someone wakes up and take it responsibly. IMO the company that have vulnerable devices should be fined HARD so its less profitable to cut corners...

    @ZAXX420: Its all about the final line on the excel sheet and cutting corners short term makes that division deliver better numbers. Sony is imo one of the least reliable companies, they had huge hacks all over the place and have a history of unprotected devices.
    Reply
  • Achoo22
    So a multi-multi billion dollar corp. isn't capable of maintaining a team or teams of white hat hackers to screen (attempt to hack) sony products before selling millions worldwide? wow...just wow. smh
    Why should they when the overwhelming majority of people are sheep that don't seem to care that they are being spied on? Sony is the company that got away scot-free with audio CDs that added rootkits to any PC that played them... The only entities that could punish their behavior are instead complicit accomplices. It's a nasty situation and it's getting worse.
    Reply
  • Remote access was disabled, it's not that big a deal.
    Reply
  • Pdiddy1134
    Multiple back doors have been found on your mom...
    Reply
  • therealduckofdeath
    Sony's motto: "Why are you still buying our stuff?"
    Reply
  • DarkSable
    Remote access was disabled, it's not that big a deal.
    Andy Chow, you missed a line:

    The debugging accounts were completely open for remote access and could be used to allow remote access to the root user. It's a huge deal.
    Reply