80 different models of Sony IPELA Engine IP Cameras have multiple backdoors that can be misused by attackers to take control of the device, disrupt its functionality, add it to a botnet, and more.
Researchers from SEC Consult discovered two application-level backdoor accounts (“primana” and “debug”) with hardcoded passwords, the hashes of which are included in the devices’ firmware. The hashes can be cracked, and through these accounts, attackers can access specific, undocumented CGI functionalities.
They also found a CGI binary that can allow attackers to remotely enable the Telnet service on a vulnerable device by simply sending a specially crafted HTTP request. Once that’s done, they can use the credentials for the “primana” account to log in, and the device is at their mercy.
“The user primana has access to other functionality intended for device testing or factory calibration(?). There is another user named debug with the password popeyeConnection that has access to other CGI functionality we didn’t analyze further,” they noted.
“We believe that this backdoor was introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing) and not an ‘unauthorized third party’ like in other cases (e.g. the Juniper ScreenOS Backdoor, CVE-2015-7755).”
Sony has been appraised of their findings and has issued patched firmware to remove the backdoor accounts, but has offered no comment on why these accounts were there in the first place.
Read more here: www.helpnetsecurity.com/2016/12/07/sony-ip-camera-backdoors/