Researchers found two hard-coded accounts and passwords in a large range of Sony’s IP-based security cameras. Attackers with access to these cameras’ web interface could use these credentials to take over the camera, even forcing access to a command line (CLI) interface. With botnets like Mirai actively looking for new victims, these sorts of IoT backdoors could but your IP-based cameras at risk. Watch our Daily Security Byte for the highlights, and if you own vulnerable cameras be sure to check out the firmware updates in the Reference section below.
Episode Runtime: 1:42
Direct YouTube Link: https://www.youtube.com/watch?v=zOKrbBnrzPU
EPISODE REFERENCES:
- SEC Consult’s official advisory – SEC Consult
- Secret backdoor in 80 models of Sony’s IP security camera – The Register
- Blog post detailing Sony IPELA cam backdoor – SEC Consult
- Sony’s firmware updates for affected IP security cameras – Sony
— Corey Nachreiner, CISSP (@SecAdept)
Sadly, hard coded credentials is shockingly common for all sorts of internet enabled devices. This is far from the first device with hard coded credentials, and it is far from the last as well.
the one upside in this case is that Sony updated the firmware quickly and a fix is already available.
I would hope that “secret” hard-coded accounts and credentials aren’t as common as you suggest. I do agree that default passwords, without mechanisms to force new users to change them immediately, are shockingly common… and that is a problem in itself (usually attackers take advantage of default known accounts and credentials. However, to have an undocumented, highly privilege account hidden on your device (accidentally or not) is even worse. If this is common, we should not accept it.
By the way, like you I do think Sony at least reacted to and fixed this issue quickly once they knew about it.