The researchers state that they discovered two different vulnerabilities, one of which affects the web interface that allows an attacker to connect to a camera with a Telnet service. The second flaw makes it possible to compromise the root account, which allows the attacker to take complete control of vulnerable devices and use them to spy, or to disrupt camera functionality, or to launch attacks on other enterprise systems, or to make the devices part of a Mirai-like botnet. According to SEC Consult, the two previously undocumented user accounts — named “primana” and “debug” — could be used by remote attackers to commandeer the Web server built into these devices, and then to enable “telnet” on them. Telnet — a protocol that allows remote logons over the Internet — is the very same communications method abused by Mirai, which constantly searches the Web for IoT (Internet of Things) devices with telnet enabled and protected by factory-default passwords. “We believe that this backdoor was introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing) and not an ‘unauthorized third party’ like in other cases (e.g. the Juniper ScreenOS Backdoor, CVE-2015-7755),” SEC Consult wrote. The affected cameras can be attacked over the internet or over the local network, if their Web interfaces are publicly accessible. An online search via the Censys.io search engine revealed that roughly 4,000 Sony security cameras are accessible from the Internet, including many from the United States and Germany, but experts believe the actual number is likely much higher. However, these are likely not all of them and it’s unclear how many are actually vulnerable. “Those Sony IPELA ENGINE IP camera devices are definitely reachable on the Internet and a potential target for Mirai-like botnets, but of course it depends on the network/firewall configuration,” said Johannes Greil, head of SEC Consult Vulnerability Lab. “From our point of view, this is only the tip of the iceberg because it’s only one search string from the device we have.” Brian NeSmith, the founder and CEO of Arctic Wolf Networks, said, “Enterprises need to view this as the canary in the coal mine for IoT security.” He cautions, “Hacking consumer video cameras don’t pose a huge risk, but as more enterprises try to leverage IoT technology and put more devices online, they need to understand they are significantly increasing the attack surface for cyberattacks.” Sony has updated its firmware on November 28 to address the issue after SEC Consult informed the company of its discovery. Sony has also published an advisory to its customers detailing the vulnerable models and recommending them that latest firmware version should be installed. Source: ZDNet