Slashdot Mirror

← Back to Stories (view on slashdot.org)

Backdoor Accounts Found in 80 Sony IP Security Camera Models (pcworld.com)

Posted by msmash on from the security-woes dept.

Many network security cameras made by Sony could be taken over by hackers and infected with botnet malware if their firmware is not updated to the latest version. Researchers from SEC Consult have found two backdoor accounts that exist in 80 models of professional Sony security cameras, mainly used by companies and government agencies given their high price, PCWorld reports. From the article: One set of hard-coded credentials is in the Web interface and allows a remote attacker to send requests that would enable the Telnet service on the camera, the SEC Consult researchers said in an advisory Tuesday. The second hard-coded password is for the root account that could be used to take full control of the camera over Telnet. The researchers established that the password is static based on its cryptographic hash and, while they haven't actually cracked it, they believe it's only a matter of time until someone does. Sony released a patch to the affected camera models last week.

55 comments

  1. Oh boy! by Anonymous Coward · · Score: 1

    Could I log in through the backdoor account, hack the camera to display the same image continuously on a loop, and then waltz into the vault and load up my satchel with valuables? Count me in!

    1. Re:Oh boy! by Anonymous Coward · · Score: 0

      Sure, but first you will have to register your connection, your address, phone number, IP address, email, submit to a credit and background check, use a credit card, then you would have to confirm all that with a text message to your cell phone.

    2. Re: Oh boy! by Anonymous Coward · · Score: 0

      Would be much easier to just code a gui in visual basic to trace the ip address.

  2. Lorex security cameras just as bad max password by Joe_Dragon · · Score: 1

    Lorex security cameras just as bad max password is 6 characters

    1. Re:Lorex security cameras just as bad max password by Anonymous Coward · · Score: 0

      This is something I've never really understood: limiting password length. There's no fucking sane reason to do it except "standards compliance", and even then there's no practical reason to limit it to anything less than, say, 128 characters. Having a password that long may sound crazy, but the password hash will be only a fraction of that length and it effectively eliminates bruteforcing the hashes. Since passwords should always be hashed, they will eat up the same storage space whether the password is 1 character or 100 characters long. The only limit should be the processing power hashing a long password takes, but the algorithms are so effective that even on low-end IoT-class hardware, it's no problem.

    2. Re:Lorex security cameras just as bad max password by Anonymous Coward · · Score: 1

      As recently as 2013, the American Express website would only look at and store the first 8 characters you typed in. If you thought your password was "morningsAreFun123_whenYouGetWood456", it was really just "mornings", and ridiculously easy to crack. There used to be threads all over community.americanexpress.com bitching about it. Ironically, the forum site itself required a more complex password than the strongest one you were allowed to create on your actual banking/card account!!

      Never made any sense to me either, it's criminally negligent if you ask me.

    3. Re:Lorex security cameras just as bad max password by guruevi · · Score: 3, Interesting

      Most of those platforms run on systems with limited memory. 200 bytes for 5 usernames and their passwords is 'a lot' of storage if you only have 128kbytes of it.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    4. Re:Lorex security cameras just as bad max password by Anonymous Coward · · Score: 0

      So we have two options for IoT. One, let's implement proper security protocols on all IoT devices. Two, let's suffer the grave consequences of Mirai botnet and its numerous clones if we lull into thinking what you said is the only approach.

      Even the shittiest IoT device should be possible to configure to authenticate legitimate use properly. This doesn't mean it should store the all user credentials. I mean, it's not like every single server in for example Microsoft's cloud services store every single user's credentials. They use authentication protocols. All you need to do is configure the devices to authenticate somehow, somewhere when you configure or use them. This can be for example a "box" you connect somewhere, like in your router or a wall socket, and this "box" acts as a hub for all the connected devices after pairing them.

      The bottom line is that if your devices are insecure and can't authenticate users properly, they are menacing pieces of shit. Shit that shouldn't exist to begin with.

      Sorry if it got rant-ish, I just hate shitty security a lot.

    5. Re:Lorex security cameras just as bad max password by thomn8r · · Score: 1
      Most of those platforms run on systems with limited memory. 200 bytes for 5 usernames and their passwords is 'a lot' of storage if you only have 128kbytes of it.

      1988 just called - they want their hardware back...

    6. Re:Lorex security cameras just as bad max password by guruevi · · Score: 1

      How do you think we "IoT" device makers are making money on 'free' devices or '$10/month unlimited storage'. It's not because we have a 2GHz processor in every device, these are the specs on the 'latest' "Smart WiFi/BT application SoC": 256KB embedded Flash and 32KB SRAM. Often these devices are made with yesteryear's chips that are half or even quarter of that.

      And in that 256KB must fit: 2-4 web pages with graphics, the various triggers, motion code (send a picture to SMTP, FTP, SMB)

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    7. Re:Lorex security cameras just as bad max password by arglebargle_xiv · · Score: 1

      There's a flag-carrier airline that limits its, uh, passwords to four digits. Not even four characters, four digits. After all, if it's good enough for banking PINs, it must be good enough to book air travel.

  3. Of course by Anonymous Coward · · Score: 0

    of course. Sony is notorious for doing things like that. which is why I won't use their products.

    1. Re:Of course by Calydor · · Score: 3, Insightful

      Whether or not you personally use Sony products does not prohibit someone else from taking your ISP offline with a botnet of Sony products.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    2. Re:Of course by Anonymous Coward · · Score: 0

      Maybe they were just targeting the UK market.

    3. Re:Of course by Opportunist · · Score: 1

      No, but it would be nice if the makers of crappy hardware were responsible for the damage done by their faulty products. Let's call this novel, revolutionary idea "product liability".

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. What camera to buy? by gQuigs · · Score: 3, Insightful

    I'd like to buy an IP camera, but I haven't been able to find any that are as open/secure/clearly* supported than a raspberry pi with a camera board (and motion software). I'd rather buy a complete solution than put it together myself though.

    Requirements:
    * Not require the cloud. (Happy if the feature exists as long as it has an off switch)
    * Have an OS that has a stated support period (of at least 3 years)
    * Sent a video feed to other device on my network.
    * 720p+
    * Ideal budge Less than $100

    Ideally it would have an Open Source OS that I can replace if I want, but does everything I need so I never want to...

    1. Re:What camera to buy? by sims+2 · · Score: 1

      No idea but i'd like some of those too.

      --
      Minimum threshold fixed. Thanks!
    2. Re: What camera to buy? by Anonymous Coward · · Score: 0

      Grab a raspberry pi an slap a camera on it.

    3. Re:What camera to buy? by Anonymous Coward · · Score: 0

      Check out TRENDnet TV-IP322WI. Even though it can connect to the cloud I have blocked any outgoing connections at my router (at the MAC level).
      I am using 2 of them with ZoneMinder and it works very well. You can access ZM through VPN or from your phone using zmNinja (with https).

    4. Re:What camera to buy? by tlhIngan · · Score: 2

      I'd like to buy an IP camera, but I haven't been able to find any that are as open/secure/clearly* supported than a raspberry pi with a camera board (and motion software). I'd rather buy a complete solution than put it together myself though.

      Check out the UBNT UniFi cameras. They can work standalone, but work much better when you connect them to their DVR software (which runs on Java, so works on Linux, Windows, OS X ,etc). Better yet, all you use to view and configure it is... a web browser.

      So the camera is the camera, and you can access its IP directly, but you can have your Pi run the DVR software and then extends it into a much more powerful surveillance system.

    5. Re:What camera to buy? by guruevi · · Score: 1

      You're not going to find a 'good' IP camera sub-$100. Axis makes (or at least made a few years ago) some awesome devices running Linux, publishing sources etc. Some Netgear is good too although video quality is bad and getting sources is also horrendous. Other than that, I haven't seen anything 'good' recently unless you go old school analog and use a DVR.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    6. Re:What camera to buy? by Anonymous Coward · · Score: 0

      As someone who has spent time in the past two months digging into this, I can confirm. I was hoping to find a few "cheap" outdoor (and by outdoor I mean capable of surviving Canadian prairie winters) HD camera with decent IR that can be run by PoE, doesn't look hideous, and will play nicely with ZoneMinder, but as it turns out, no such thing exists. I'm looking at easily a couple grand if I want to properly cover my front and back yards, sides of the house, doors, driveway, and garage. I honestly wonder if putting the cameras won't actually make me a target because taking all of those fuckers would be a nice haul.

      The search continues...

    7. Re: What camera to buy? by Anonymous Coward · · Score: 0

      IQeye cameras have phenomenal quality for the price ($50 used). Telnet shell, they run an RTOS. API to configure settings, from jobs on the camera, onboard motion detection, gain windows, privacy windows, and standard MJPEG stream. The newer ones are Xilinx.

    8. Re:What camera to buy? by fisted · · Score: 1

      1. put $camera on seaprate vlan
      2. don't route to/from it from the interwebs
      3. stop caring about OS support period
      4. ???
      5. video feeds!

      literally the only requirement is that it, as you say, does not *require* "the cloud". but i guess most cameras can operate more or less on their own. (?)

      --
      CLI paste? paste.pr0.tips!
    9. Re:What camera to buy? by Anonymous Coward · · Score: 0

      I have 8 cameras hooked up using this system, closed or can be connected to the internet, just had to run the wires, keeps some of my neighborhood gremlins away. Words out that this place is totally under video surveillance, the low lifes target other homes...

      https://www.amazon.com/Amcrest-Security-Weatherproof-Cameras-Transmit/dp/B00PMEG8YQ

      Add a cheapie splitter or 4 more IP cameras, surviving fine out in all weather.

    10. Re:What camera to buy? by antdude · · Score: 1

      Ditto. Also, wireless.

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  5. Hard coded creds AND telnet as a service? Plz by adosch · · Score: 3, Interesting

    So hard-coded credentials AND MF telnet? Seriously ladies and gentlemen, WTF is slapping the OS stack on these IoT devices? Was someone just that lazy with their firmware we couldn't take that out of busybox/toybox or heaven forbid strip that out of the development pipeline when you're cutting out the production firmware for mass use? I realize it's handy when you're developing it, but this is just lunacy anymore. I thought we all went over this as hardened, grey sys-admins now that telnet had died a long time ago in the 90's...

    I don't even think I want to get started about hard-coded credentials, and I'm not going to. All I can say now is: Thanks for making it unbelievably EASY for anyone putting yet another bot network to compromise more low hanging fruit. Even if it's not used in that, I'm sure all the Shodan fans will love it.

    I'm just whine-ranting now, but is anyone has F blown away as me that shit like this STILL continues to happen?

  6. Not just Sony by product_bucket · · Score: 3, Informative

    Lots of the big name security brands are running the same basic NetSurveillance WEB firmware underneath their skinned interface. I'm thinking particularly of the brand that makes flight data recorders... and cordless doorbells. I wonder if people would pay serious money for a IPTV network if they knew it's just a re-badged Mirai host.

    How do I know? They hit me 24/7, I'll be worried about the connectivity of the internet if they ever stop.

  7. 80 models? by AndyKron · · Score: 1

    WTF does a company need with 80 models of cameras? Isn't 57 enough?

    1. Re:80 models? by PRMan · · Score: 1

      It was for Heinz...

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    2. Re:80 models? by Anonymous Coward · · Score: 0

      In communist china 57 isnt enough. Since sony probably didnt design all these they can just rebrand any crap camera made by some chinese subcontractor. Plenty of subcontractors in china to choose from.

  8. A "patch"... as if they are fixing something by Anonymous Coward · · Score: 1

    [quote]Sony released a patch to the affected camera models last week.[/quote]

    Don't buy it. As far as Sony was concerned, this was a "feature" they agreed to put in the camera to allow access by state actors. The feature only become a security bug once the public found out about the program.

  9. The company that rootkitted Windows from audio CDs by mr_mischief · · Score: 4, Insightful

    So the company that put Windows rootkits on Redbook audio CDs puts backdoors in other products? Stunning!

    The company that sold the PSP 1000 to early adopters at $250+ per unit based on all the things it would be able to do with expansions, then released expansions that only worked with later models doesn't take their customers' needs seriously? Shocking!

    The company that advertised Linux on the PlayStation 3 then made it impossible to use Linux if you installed most of the newer PS/3 games stomps on their promises? Inconceivable!

    Or... oh, wait... no, that's not it. The surprising part is that anybody trusts these shady jerks at all.

  10. Re:Hard coded creds AND telnet as a service? Plz by Anonymous Coward · · Score: 0

    Security has no ROI.

  11. Invisible hand of the free market by Anonymous Coward · · Score: 0

    Clearly, the solution to these insecure products is less regulation by the government!

    1. Re:Invisible hand of the free market by Anonymous Coward · · Score: 0

      ..or just less collusion between the state and corporates.

  12. Openipcam.com local lan only, plenty of choices by raymorris · · Score: 1

    The first result in my Google search for "open ip camera firmware" looked pretty promising, so I'm guessing you have another requirement that none of those cameras meet? Using the open firmware DOES mean upgrading from the factory firmware, is that a major issue?

    > Sent a video feed to other device on my network.

    If your firewall or vlan restricts it to your local network only, how important is future firmware support? If it works today, with a standard/open protocol such as mpeg, and it's not connected to the internet, what future upgrades can be so important?

  13. Re:Openipcam.com local lan only, plenty of choices by gQuigs · · Score: 1

    >Using the open firmware DOES mean upgrading from the factory firmware, is that a major issue?

    I did review openipcam.com before asking, but yes, I would prefer if the camera vendor was actually involved.

    >If your firewall or vlan restricts it to your local network only, how important is future firmware support? If it works today, with a standard/open protocol such as mpeg, and it's not connected to the internet, what future upgrades can be so important?

    Good point. In the simple case this would just mean it has no "Cloud" functionality - or I get VLAN support in my next router..

  14. Not cracked by plover · · Score: 3, Interesting

    So they have an MD5 hash, but don't know what value hashes to it. They have no idea if it's a 10 character '1234567890' password or a 64 character string of random bytes. They also know that it's not a string that Google has already found and cached. The only clue they have to go on is the existing backdoor they found that turns telnet on, which uses 11 random ASCII characters as the secret. But 11 characters are almost out of reach for brute force password testing. If the person who put the backdoor in applied only the same amount of thought to the secret password, that would still be a monster to attack with brute force.

    So I disagree that it's a matter of time. I think it's a matter of defeating it in another way, such as having Wireshark running when someone who actually knows the password types it in; or uncovering a wikileaked document that contains the secret backdoor password.

    --
    John
    1. Re:Not cracked by Anonymous Coward · · Score: 0

      sorry but that is bullshit. 11 characters on a single computer is only a 6- 10 of years of processing. In todays world of distributed computing 11 characters could easily be cracked in days by a relatively small botnet of dedicated hosts if someone really wanted the password.

    2. Re:Not cracked by gravewax · · Score: 1

      1000+ machine botnet and your almost out of reach password will be reached in a couple of days.

    3. Re:Not cracked by Anonymous Coward · · Score: 0

      I think you are working off some very dated information. 11 character passwords are easily brute forced by those with funds/equipment to do it. Most of the information you see about brute force speeds works in the billions of attempts per hour. even 5 years ago someone had put together a 25 GPU machine that could do 300+ billion per second which with even the largest character sets including all special characters numbers and upper and lower gives around about 97000 days of processing. GPU tech has massively moved forward since then and combine that with distributed computing 11 characters can easily be done by bad guys with resources in days.

    4. Re:Not cracked by Anonymous Coward · · Score: 0

      I'm not sure you have communicated effectively here. You seem to be saying that brute forcing an 11 character password is 'no problem'.

      OK, but 97,000 days to brute force such a password amounts to 265.6 years of compute time. And even if GPU tech has "massively moved forward since then", in the 5 years subsequent, this does not instill confidence in the reader.

      I know that there are ways to limit the search space, bring more resources to bear and all that, but it's about you making that case. And you haven't made it with your '97000 days' comment.

  15. Let me guess - the login is $SYS$Sonypwned. by mmell · · Score: 1

    Just a guess.

  16. Re:Hard coded creds AND telnet as a service? Plz by epyT-R · · Score: 1

    It was likely left there on purpose.

  17. On Linksys, click Access Policy by raymorris · · Score: 1

    Without VLANs, you list devices are not allowed to access the internet. On Linksys, it's called Access Policy.
    http://www.linksys.com/ph/supp...

    Netgear probably has the same capability.

  18. Telnet? by wjcofkc · · Score: 1

    It never ceases to amaze me when I read about such exploitable devices only to find out that the exploitable service should not exist in any way shape or form on the device to begin with. Telnet? Telnet? It's like the people designing these things are all proud that they got Linux up and running on it on only their fifth try, and the watched then movie Hackers as a reference for configuring it.

    --
    Brought to you by Carl's Junior.
  19. Re:The company that rootkitted Windows from audio by Anonymous Coward · · Score: 0

    Its Sony, put a few flashy ads on TV and people go buy the next round of products.

    Clearly not enough people wanted Linux on their PS3, otherwise Sony would of a) not taken it away or b) put it back on there.

    The PlayStations are the only Sony "lock in" type product ? You dont have to buy Sony Tvs, Cameras, and Walkmans etc.

    Personally I wasn't going to buy another PlayStation after the PS2, couple months ago I'm walking past the big electronics recycle bin (I'm sure it just gets put on a ship and dumped in some 3rd world country) on the service level at work, I must of been the first to see it, but there was a PlayStation 3 sitting atop the pile, hard drive removed, and a DHS (they're in our building somewhere) evidence sticker with the important details blacked out. So I took it home, bought a controller, put an spare SSD into it, fiddled around with the firmware download to USB stick trick, and it works. So there you are, one deported mans evidence is another's free PS3.

  20. I wish by JustAnotherOldGuy · · Score: 1

    I wish I could say "I'm shocked!", but I can't because I'm not.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  21. Have they tried "admin"? by Anonymous Coward · · Score: 0

    The default account on most cameras is admin/admin, important to note that it is case sensitive for the username as well since they usually run Linux without properly disclosing such under GPL terms.

  22. Where is the problem? by Opportunist · · Score: 1

    Nobody who has at least a passing interest in security buys Sony products anymore, and everyone else very obviously doesn't care about security.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  23. Re:The company that rootkitted Windows from audio by Anonymous Coward · · Score: 0

    What always stuns me is the Sony Fanbase, especially with playstation where they will adamantly defend Sony as a champion of the consumer or the only trustworthy company despite PSN hacks, rootkits, security disasters, PS3 Linux and now this. I am sure you will find plenty of defenders for them though.

  24. Sony has been hacked many times by Anonymous Coward · · Score: 0

    11 random ASCII characters in the possession of Sony Corp is safe because its 11 characters?

    Yet Sony has been hacked many times (e.g. November 2014 Sony Pictures), and certainly state actors would have grabbed that password by intercepting emails. If one has it, say NSA, then all have it either by information sharing or via political control (Think Trump's buddies in the FSB that helped him steal the Presidency by hacking swing states electoral rolls, and DNC emails.... now he's President, they get all the backdoor passwords available to the executive branch).

    And given the security in NSA (2 million security cleared people!) where Snowden walked out with their data, it means lots of people will have it, simply because its only as good as their sieve security.

    So yeh.... secure.......not!

  25. Re: Lorex security cameras just as bad max passwor by Anonymous Coward · · Score: 0

    And no security? If securty takes up only 0 bytes then it'll fit there.