Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/7/2016
04:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Find Backdoors, Bugs In Sony, White Box IP Cameras

New vulnerabilities discovered by SEC Consult and Cybereason highight increasing IoT threat to enterprises.

Two alerts this week about vulnerabilities in widely used IP cameras should help dispel any lingering notions about the Internet of Things (IoT) security threat being largely a consumer problem.

One of the alerts was from Austrian security firm SEC Consult, while the other was from Cybereaon.

In research published Tuesday, SEC Consult said it had found a backdoor in as many as 80 Sony IPELA Engine IP camera models.

The backdoor gives attackers a way to take complete control of vulnerable devices and use them to spy, to launch attacks on other enterprise systems, disrupt camera functionality or to make the devices part of a Mirai-like botnet.  Sony’s website shows that the cameras range in price from under $500 to over $6,000 and appear designed for monitoring purposes in commercial and industrial settings.

Sony has updated its firmware to address the issue after SEC Consult informed the company of its discovery.

Enterprises need to view this as the canary in the coal mine for IoT security,” says Brian NeSmith, the founder and CEO of Arctic Wolf Networks. “Hacking consumer video cameras don’t pose a huge risk, but as more enterprises try to leverage IoT technology and put more devices online, they need to understand they are significantly increasing the attack surface for cyberattacks,” he cautions.

SEC Consult said it stumbled upon the issue when uploading a firmware update from a Sony IP camera into SEC’s IoT Inspector firmware analysis system.

The analysis uncovered two hardcoded passwords in the firmware, one for user administration and the other for gaining root access.  Further investigation showed the presence of two user accounts one named ‘primana’ and the other ‘debug’.

Depending on the services that are started at runtime, an attacker could use the accounts to log in via the serial port or via Secure Shell and Telnet, SEC Consult said.

The backdoor does not appear to have been installed by an unauthorized third party, according to the company. Rather Sony developers seem to have created the accounts on purpose likely in order to give them a way to debug devices or to run functionality tests on them.

Johannes Greil, head of SEC Consult’s vulnerability lab, says attackers can use the backdoor in the IP cameras to attack other systems on the network. “If an attacker successfully compromises the IP camera remotely, it can be used as a jump host to attack other internal systems, depending on the network and firewall configuration of course,” Greil says.

SEC Consult’s analysis shows that an attacker can use the backdoor ‘primana’ account to remotely target undocumented functionality within the web interface of the Sony IP cameras to enable Telnet and SSH on them.

The ‘primana’ account has access to other functionality as well such as for picture manipulation, calibrating settings for or turning the device heater on, if it has one, Greil says. Similarly, the ‘debug’ user accounts has access to undocumented functions that SEC Consult did not investigate.

Organizations using the vulnerable devices should immediately install the updated Sony firmware, he says. In addition, they should restrict access to the devices as much as possible and disallow Internet access via VLANs and firewalls, Greil says.

Cybereason’s alert meanwhile involved two zero-day bugs that it says is present in hundreds of thousands of low-cost IP cameras.

The first zero day bug enables information disclosure and authentication bypass. An attacker can exploit the flaw to basically request any file from vulnerable devices including the password people use to access the camera. So even if a user had set an extremely hard password, an attacker would simply be able to ask the device for it. The other bug enables attackers to gain root access to a vulnerable device after authenticating themselves using the password obtained.

The bugs exist in software developed by a company that assembles the cameras for so-called white box vendors who distribute the devices often without a manufacturer’s name or logo.

Cybereason did not release technical details of the flaws, or how they can be exploited because of how widespread the issue is and the difficulty involved in identifying the suppliers of the devices and getting them to update. And even if they were willing to update, the cameras are not designed to receive updates so the zero-days cannot be patched.

“The only way to guarantee that an affected camera is safe from these exploits is to throw it out,” says Amit Serper principal security researcher at Cybereason.

In comments to Dark Reading, Serper says bugs like these show its high time for organizations to stop viewing the IoT as some sort of a separate Internet. Organizations need to treat IoT devices as just other computers on the network that can have vulnerabilities and need to be protected, he says, adding that the focus, as always needs to be on security and not just price.  “People need to stop buy cheap crap, just because it is cheap,” he says.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cyclepro
100%
0%
cyclepro,
User Rank: Strategist
12/8/2016 | 9:29:14 AM
Sony Camera
In the article it says that the IoT backdoor should be a lesson for people in not buying cheap items. In the case for Sony the camera's affected range in price from $500.00 to $6,000.00

Pretty cheap huh?

 
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...
CVE-2020-5242
PUBLISHED: 2020-02-20
openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file whic...
CVE-2020-8601
PUBLISHED: 2020-02-20
Trend Micro Vulnerability Protection 2.0 is affected by a vulnerability that could allow an attack to use the product installer to load other DLL files located in the same directory.