back to article Sony kills off secret backdoor in 80 internet-connected CCTV models

Sony has killed off what, charitably, looks like a debug backdoor in 80 of its web-connected surveillance cameras that can be exploited to hijack the devices. The hardcoded logins can be potentially used by malware, such as variants of the Mirai bot and its ilk, to automatically and silently commandeer swathes of Sony-built …

  1. malle-herbert
    Facepalm

    Hardcoded passwords...

    Still being used in 2016 ? Seriously ? See icon -------------------------------->

    1. wyatt

      Re: Hardcoded passwords...

      What makes me giggle is the amount of customers who work towards being PCI-DSS compliant but keep the default passwords on their systems.

      It's laziness, at all levels, signed off by senior management. It could be stopped but it won't be.

      1. Lee D Silver badge

        Re: Hardcoded passwords...

        One of the first items on PCI-DSS whenever I've looked at it is "no default passwords on the secure network".

        But this isn't a default password, as such. This is a hardcoded backdoor password that always works and the user has no control over.

        That's just stupidity, and the manufacturers should be sued into oblivion for it.

        1. wyatt

          Re: Hardcoded passwords...

          It isn't, I was more looking to point out that it can be either the manufacturer or/and the new owner not securing a device. Until as you suggest, there is a penalty for this which is taken seriously nothing will happen.

        2. Doctor Syntax Silver badge

          Re: Hardcoded passwords...

          "That's just stupidity, and the manufacturers should be sued into oblivion for it."

          This is Sony. They have form with rootkits and didn't get sued into oblivion then.

          1. Pete B

            Re: Hardcoded passwords...

            "This is Sony. They have form with rootkits and didn't get sued into oblivion then."

            No - they just got dropped from my list of possible vendors. I wouldn't consider anything with the Sony name on it since that debacle.

        3. BillG
          Pirate

          Re: Hardcoded passwords...

          @Lee D wrote: This is a hardcoded backdoor password that always works and the user has no control over. That's just stupidity, and the manufacturers should be sued into oblivion for it.

          I don't think this is stupidity, I think this is deliberate. Think about it - this isn't for debugging purposes. Did whoever wrote the code deliberately leave a backdoor so they could have some future fun? Isn't that what this looks like?

          1. DrXym Silver badge

            Re: Hardcoded passwords...

            "I don't think this is stupidity, I think this is deliberate."

            The vastly more likely reason is that devs need a way to debug the device and in their infinite wisdom chose badly. I've written code all kinds of embedded devices and this sort of thing is all too common. It's not malicious, just poor practice.

            If the government or individuals wanted to screw with devices they could do it in a far more surreptitious way than this. The simplest would be a port knock which makes the device look secure until certain ports are tapped in the right order and then it launches an ssh server. This is often used in remote devices that need remote service access so it's not something exotic or hard to do for someone with more malicious intentions.

            Security isn't one thing either. It probably wouldn't have been bad to open telnet providing someone could only log in with limited permissions but providing root access makes it clear the devs were clueless. See my previous post - root access should never be necessary in the field and it's easy to set the root password to something random and unknown and disable root logins altogether. If devs needed debug access they could have gotten it with a login that only let them clear logs, edit app config files and suchlike.

      2. fajensen Silver badge
        Big Brother

        Re: Hardcoded passwords...

        It's laziness, at all levels, signed off by senior management. It could be stopped but it won't be.

        Me think that kind of thing is a Requirement, like the Lawful Interception functionality embedded in all telecom sold since around the 1980's. It's part of a classified legislation, which is why we don't see it.

        Companies did the usual job: The bare minimum implementation required to meet the letter of the contract, like they did with the region coding of DVD's back when someone used DVD's.

        Sure, it could be stopped, but then civilisation would immediately succumb to terrrorist-paedophile-drugdealers or maybe even the "Marinus Van der Lubbe Firebomb Conspiracy", which used to work before and might work again now we are a post-factual society.

        http://www.etsi.org/technologies-clusters/technologies/lawful-interception

      3. Spanker

        Re: Hardcoded passwords...

        Well at the company I've just joined as Infosec policy lead that's exactly what's not going to happen. I'm having great fun taking away toys right now!

    2. DrXym Silver badge

      Re: Hardcoded passwords...

      It's almost unavoidable to have a hardcoded password for the root / system / superuser but it's easy to render it unusable. Best practice is to set the root password to a very long, randomly generated string, store the salt / has passwd file into a read-only firmware partition and completely forget what the password ever was. Also disable root login or change the login shell to some null operation.

      Then nobody can obtain access to root. Not the devs, not the service engineers, not the user, not the application software, not hackers.

  2. Anonymous South African Coward Silver badge

    ...and this is not even the tip of the iceberg yet.

    Who knows what fun stuff got introduced with the patches?

  3. Smooth Newt Silver badge
    WTF?

    Backdoors in firmware

    "We are grateful to SEC Consult for their assistance in enhancing network security for our network cameras," Sony said.

    Why are Sony grateful to an outside consulatancy for reporting backdoors in their firmware to them - is their oversight of their own product development that dreadful?

  4. adam payne
    Facepalm

    "We are grateful to SEC Consult for their assistance in enhancing network security for our network cameras," Sony said.

    In other words thanks for airing our dirty laundry and for making us look like a bunch of fools.

    Seriously hard coded passwords in 2016? #captainpicarddoublefacepalm

    They have no reason to be in there and should not have been put in there in the first place.

  5. Doctor Syntax Silver badge

    Sony has killed off ... a debug backdoor

    Killed off in what sense? Killed off as in taken it out of current production, killed off as in made an upgrade available to punters who actually know an upgrade's available and will install it or killed off as in pro-actively upgraded all vulnerable devices exposed to the net?

    1. Smooth Newt Silver badge
      Happy

      Re: Sony has killed off ... a debug backdoor

      The Ver.1.86.00 English language release notes includes a description all the software changes in some detail:

      3. Newly Added Functions in Ver. 1.86

      3.1. The security has been enhanced.

      3.2. ONVIF Ver. 16.07 support

      Conformance testing has been passed with ONVIF Device Test Tool Version 16.07.

    2. JeffyPoooh
      Pint

      Re: Sony has killed off ... a debug backdoor

      DrS asked "...pro-actively upgraded all vulnerable devices exposed to the net?"

      Making use of the backdoor logins, just one last time?

      1. Anonymous Coward
        Anonymous Coward

        Re: Sony has killed off ... a debug backdoor

        "Making use of the backdoor logins, just one last time?"

        Suerly there comes a time when that is the appropriate thing to do, regardless of whatever some stupid laws may say?

  6. druck Silver badge
    Facepalm

    I had hoped for better

    You expect this sort of thing from no-name Chinese camera makers, but a high profile company like Sony? Well I suppose their rootkit team had to go somewhere.

    1. PNGuinn
      Mushroom

      Re: I had hoped for better

      "You expect this sort of thing from no-name Chinese camera makers, but a high profile company like Sony?"

      In the case of that bunch of 0*(^$()%$^^&(*^*(&*%%$^GIUH&^$%^&^H^&%&^%^&*^HBs, most very definitely yes, and worse.

      The sooner they spontaneously ignite the better.

      Burn, B*s***ds, BURN.

  7. NanoMeter

    Looking for password laziness on CCTV cams?

    Search for insecam on Google.

    1. Xamol

      Re: Looking for password laziness on CCTV cams?

      Security is an industry (IoT) wide problem and for me, goes hand in hand with privacy concerns. I take issue with devices that require a server component that gives a company access to information on what I'm doing, where and how etc. All of the information in the servers should be held within my domain, under my control. That means that either it's all encrypted so that only I can access it, or it's held locally on my devices (or both).

      Maybe there's a business case for a new company called elgoog. A company that charges a fair price for the services it offers and guarantees (within the bounds of its control) that your data remains your own.

      I accept that the IoT servers will always be required so long as residences don't have fixed IP addresses. If elgoog is serious though, it doesn't need much more information than IP address and basic information about the device.

      At least I now know of one CCTV cam that has at least some basic security available.

  8. Anonymous Coward
    Anonymous Coward

    Name the movie...

    ...where a scientist played by Kevin Bacon becomes invisible, and blocks everybody access to the facility by deleting the passwords file, after he goes batshit insane from the power abuse of being invisible.

    1. adam.c

      Re: Name the movie...

      Hollow Man - https://en.wikipedia.org/wiki/Hollow_Man

  9. cantanko
    FAIL

    Looks like it was known about in 2013...

    One of those hashes is a near googlewhack - the top result shows someone in a forum searching for a plaintext version back in 2013, so presumably one can assume they've been open to the world since at least then...

  10. The Wild Tomcat

    Plus ça change, plus c'est la même chose

    I've been avoiding Sony ever since the DRM rootkit.

    1. Pompous Git Silver badge

      Re: Plus ça change, plus c'est la même chose

      I've been avoiding Sony ever since the DRM rootkit.
      I've been avoiding Sony ever since my professional monitor took 5 months to be fixed. I was yelled at on the phone for asking about progress 4 months after handing it over to the local Sony agent. Local computer dealer (Hobart) said: "You reckon that's bad. Mine took 5 months to be fixed and came back with a new fault that took another 5 months to be fixed!"

      At least I got my money back on the DRM Sony music CD I purchased. The shop owner (Stefan)* said: "Since you're such a good customer, here's your money back!" and threw the banknotes in my face.

      * Everyone in Hobart has a story about Stefan!

  11. Anonymous Coward
    Anonymous Coward

    Sony - an anagram of Nosy

    A coincidence - I don't think so.

  12. Adam 1

    > you can login as root and get command-line-level access to the operating system if you can crack these password hashes:

    $1$$mhF8LHkOmSgbD88/WrM790 (gen-5 models)

    iMaxAEXStYyd6 (gen-6 models)

    ---

    In that case I'll be extra careful to not Google those hashes in a day or two.

  13. Anonymous Noel Coward
    Headmaster

    >himitu

    Sorry to be picky, but the つ in himitsu is read as tsu, not tu.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021