If you’ve got a Sony IP camera, update its firmware now

Security is tough enough without product developers punching backdoors into their own IP devices and then shipping them unpatched. But, as security researchers at SEC Consult recently discovered, Sony might have done just that with 80 models of its Sony IPELA Engine IP Cameras.

SEC Consult found backdoors that could allow attackers “to run arbitrary code on the affected IP cameras… to take a foothold in a network and launch further attacks, disrupt camera functionality, send manipulated images/video, add cameras into a Mirai-like botnet or to just simply spy on you”.

Its researchers first discovered these holes in early October, while testing another firmware update. They quickly discovered multiple sets of hard-coded password hashes. The password associated with user “admin” was, sure enough, “admin”.

A second password hash, for the user “root”, appeared almost equally easy to break. (SEC Consult carefully avoided trying: “We have not cracked the root password, but it’s only a matter of time until someone will.”)

SEC Consult’s blog entry walks through every step involved in bootstrapping an attack that first sends HTTP requests, authenticates, finds hidden CGI capabilities, uses them to start Telnet network services that were previously turned off by default, and then logs in with root privileges to a Linux shell, taking full control of the device.

According to its detailed Security Advisory, SEC Consult notified Sony on October 14, followed up twice to ask for progress updates, and was informed on November 8 that Sony was working on a fix.

Sony released updated firmware on November 28 and informed SEC Consult. Over the following week, CERT-BUND, CERT-at, and the Forum of Incident Response Teams were notified. Finally, after getting all these ducks in a row, SEC Consult publicly released its security advisory on December 6.

Happy ending, right? Sure, assuming every Sony IPELA camera owner on Earth quickly updates their firmware. If you own one (or 1,000) of these, go and download the firmware update stat, here. You’ll need Sony’s accompanying SNC Tool Box utility, too. Decompress the firmware package, paying close attention to the 16-page PDF instruction manual. (You’ll need to: it’s full of non-native English like: “About 30 minutes by the time the one-target version up completes or it drives.”)

SEC Consult suspects the backdoors may have been “introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing)”. It has asked Sony about this… but so far, radio silence.

Sony’s website seems to have been equally circumspect about notifying its customers. We can’t find anything yet on its main Security or News or Support Center pages, or anything suggesting a serious security issue on its Resources page. Perhaps by the time you’ll visit, Sony will have shared this info a bit more prominently.

Many of these devices are fairly high-end, protecting significant enterprise or government assets. In some environments, fairly sophisticated IT teams may be closely tracking their IP cameras, and staying completely on top of firmware updates. But we suspect some of these babies get little day-to-day attention from cybersecurity professionals. If so, the implications might be… suboptimal.

Equally suboptimal: the whole notion of backdooring your own products. As Tom’s Hardware put it: “Whether a company creates a backdoor accidentally (bugs or debugging tools left enabled in shipping products), for law enforcement purposes (“legal intercept”), for user convenience (“admin/admin” type of default credentials), or maliciously, they always end up being discovered by bad actors.”

We’re not quite sure about “always”. But close enough.