A long list of IP-enabled security cameras made by Sony contain backdoors in their firmware that can allow an attacker to run arbitrary code remotely on the devices and potentially opening them up for use in a botnet.
The cameras affected by the vulnerabilities are surveillance cameras, mainly used in enterprises and retail settings and there are dozens of models that contain the vulnerable firmware. Researchers at SEC Consult discovered the backdoors and found that an attacker could use one of them to enable hidden Telnet and SSH services on the cameras and then use the other backdoor to gain root privileges.
“Sony IPELA ENGINE IP Cameras contain multiple backdoors that, among other functionality, allow an attacker to enable the Telnet/SSH service for remote administration over the network. Other available functionality may have undesired effects to the camera image quality or other camera functionality,” the advisory from SEC Consult says.
“After enabling Telnet/SSH, another backdoor allows an attacker to gain access to a Linux shell with root privileges! The vulnerabilities are exploitable in the default configuration over the network. Exploitation over the Internet is possible, if the web interface of the device is exposed.”
Once an attacker has root privileges on a vulnerable camera, he could take any number of actions, including installing malicious software and adding the camera to a botnet for use in other attacks. This is similar to how attackers have been recruiting new devices into the Mirai botnet for the last couple of months. The Mirai malware scans for devices with Telnet enabled and default credentials, then compromises them and begins scanning again. The backdoors in the Sony cameras also could be used for other purposes.
“An attacker can use cameras to take a foothold in a network and launch further attacks, disrupt camera functionality, send manipulated images/video, add cameras into a Mirai-like botnet or to just simply spy on you. This vulnerability affects 80 different Sony camera models,” SEC Consult said in a blog post on the bugs.
Sony has released new firmware for the IPELA cameras affected by the vulnerabilities. The SEC Consult researchers said they think the backdoors were not accidental.
“We believe that this backdoor was introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing) and not an “unauthorized third party” like in other cases (e.g. the Juniper ScreenOS Backdoor, CVE-2015-7755). We have asked Sony some questions regarding the nature of the backdoor, intended purpose, when it was introduced and how it was fixed, but they did not answer,” they said.
Image: Mike Mozart, CC By 2.0 license.