SEC Consult, a European security company, uncovered a backdoor in 80 Sony IPELA Engine IP camera models. This latest discovery shows, once again, that it is universally a bad idea to have a backdoor in software and devices--no matter what the intentions are behind it. Sony has since fixed the backdoor with a firmware update, but it highlights the problems created by using a backdoor.
Whether a company creates a backdoor accidentally (bugs or debugging tools left enabled in shipping products), for law enforcement purposes (“legal intercept”), for user convenience (“admin/admin” type of default credentials), or maliciously, they always end up being discovered by bad actors. The attackers use the backdoors to infect the devices with malware, steal data, or use the device in botnets, which are then used to attack small or large services for fun or profit.
Hardcoded Passwords And Root Account
Sony is learning the same lesson after SEC Consult did a routine analysis of Sony’s surveillance camera firmware while testing its IoT Inspector tool for security weaknesses in IoT firmware. The security company discovered that Sony was using hardcoded default passwords, which the security community frowns upon because it leads to problems (such as millions of IoT devices being taken over by botnets).
However, this wasn’t the biggest problem with Sony’s cameras. The company also found an undocumented Sony root password, which means it was supposed to be hidden from the public. The root account can give access to unauthorized users to do whatever they want with the devices, both locally and remotely, but the company disabled remote access by default.
The problems didn’t end there. The researchers also found two debugging accounts that Sony left in the firmware, seemingly for troubleshooting purposes. One account with the username “primana” and password “primana” seems to have been used for device calibration and factory testing. The other account, “debug,” had the password “popeyeConnection,” but the security company didn’t analyze it further.
Sony used hardcoded passwords, and it was only a matter of time before someone discovered them. The passwords seem easy to bruteforce; Sony could’ve at least used stronger passwords for the debugging accounts.
These two accounts were also accessible remotely, and they could have been used to enable remote access to the root account. That could have given full remote control of the device to any potential attacker. The researchers said they didn’t try to bruteforce the root account’s password, but considering how weak the other account passwords are, it could probably be cracked easily by a malicious attacker.
SEC Consult said that it had asked Sony about the purpose of the backdoor accounts and how it fixed them, but the company did not answer.
We’ve included all of the affected models in this list:
SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120, SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520, SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551SNC-EP550, SNC-EP580, SNC-ER550, SNC-ER550C, SNC-ER580, SNC-ER585, SNC-ER585H, SNC-ZP550, SNC-ZR550SNC-EP520, SNC-EP521, SNC-ER520, SNC-ER521, SNC-ER521CSNC-CX600, SNC-CX600W, SNC-EB600, SNC-EB600B, SNC-EB602R, SNC-EB630, SNC-EB630B, SNC-EB632R, SNC-EM600, SNC-EM601, SNC-EM602R, SNC-EM602RC, SNC-EM630, SNC-EM631, SNC-EM632R, SNC-EM632RC, SNC-VB600, SNC-VB600B, SNC-VB600B5, SNC-VB630, SNC-VB6305, SNC-VB6307, SNC-VB632D, SNC-VB635, SNC-VM600, SNC-VM600B, SNC-VM600B5, SNC-VM601, SNC-VM601B, SNC-VM602R, SNC-VM630, SNC-VM6305, SNC-VM6307, SNC-VM631, SNC-VM632R, SNC-WR600, SNC-WR602, SNC-WR602C, SNC-WR630, SNC-WR632, SNC-WR632C, SNC-XM631, SNC-XM632, SNC-XM636, SNC-XM637, SNC-VB600L, SNC-VM600L, SNC-XM631L, SNC-WR602CL