
Hardcoded passwords...
Still being used in 2016 ? Seriously ? See icon -------------------------------->
Sony has killed off what, charitably, looks like a debug backdoor in 80 of its web-connected surveillance cameras that can be exploited to hijack the devices. The hardcoded logins can be potentially used by malware, such as variants of the Mirai bot and its ilk, to automatically and silently commandeer swathes of Sony-built …
One of the first items on PCI-DSS whenever I've looked at it is "no default passwords on the secure network".
But this isn't a default password, as such. This is a hardcoded backdoor password that always works and the user has no control over.
That's just stupidity, and the manufacturers should be sued into oblivion for it.
@Lee D wrote: This is a hardcoded backdoor password that always works and the user has no control over. That's just stupidity, and the manufacturers should be sued into oblivion for it.
I don't think this is stupidity, I think this is deliberate. Think about it - this isn't for debugging purposes. Did whoever wrote the code deliberately leave a backdoor so they could have some future fun? Isn't that what this looks like?
"I don't think this is stupidity, I think this is deliberate."
The vastly more likely reason is that devs need a way to debug the device and in their infinite wisdom chose badly. I've written code all kinds of embedded devices and this sort of thing is all too common. It's not malicious, just poor practice.
If the government or individuals wanted to screw with devices they could do it in a far more surreptitious way than this. The simplest would be a port knock which makes the device look secure until certain ports are tapped in the right order and then it launches an ssh server. This is often used in remote devices that need remote service access so it's not something exotic or hard to do for someone with more malicious intentions.
Security isn't one thing either. It probably wouldn't have been bad to open telnet providing someone could only log in with limited permissions but providing root access makes it clear the devs were clueless. See my previous post - root access should never be necessary in the field and it's easy to set the root password to something random and unknown and disable root logins altogether. If devs needed debug access they could have gotten it with a login that only let them clear logs, edit app config files and suchlike.
It's laziness, at all levels, signed off by senior management. It could be stopped but it won't be.
Me think that kind of thing is a Requirement, like the Lawful Interception functionality embedded in all telecom sold since around the 1980's. It's part of a classified legislation, which is why we don't see it.
Companies did the usual job: The bare minimum implementation required to meet the letter of the contract, like they did with the region coding of DVD's back when someone used DVD's.
Sure, it could be stopped, but then civilisation would immediately succumb to terrrorist-paedophile-drugdealers or maybe even the "Marinus Van der Lubbe Firebomb Conspiracy", which used to work before and might work again now we are a post-factual society.
http://www.etsi.org/technologies-clusters/technologies/lawful-interception
It's almost unavoidable to have a hardcoded password for the root / system / superuser but it's easy to render it unusable. Best practice is to set the root password to a very long, randomly generated string, store the salt / has passwd file into a read-only firmware partition and completely forget what the password ever was. Also disable root login or change the login shell to some null operation.
Then nobody can obtain access to root. Not the devs, not the service engineers, not the user, not the application software, not hackers.
"We are grateful to SEC Consult for their assistance in enhancing network security for our network cameras," Sony said.
Why are Sony grateful to an outside consulatancy for reporting backdoors in their firmware to them - is their oversight of their own product development that dreadful?
"We are grateful to SEC Consult for their assistance in enhancing network security for our network cameras," Sony said.
In other words thanks for airing our dirty laundry and for making us look like a bunch of fools.
Seriously hard coded passwords in 2016? #captainpicarddoublefacepalm
They have no reason to be in there and should not have been put in there in the first place.
Killed off in what sense? Killed off as in taken it out of current production, killed off as in made an upgrade available to punters who actually know an upgrade's available and will install it or killed off as in pro-actively upgraded all vulnerable devices exposed to the net?
The Ver.1.86.00 English language release notes includes a description all the software changes in some detail:
3. Newly Added Functions in Ver. 1.86
3.1. The security has been enhanced.
3.2. ONVIF Ver. 16.07 support
Conformance testing has been passed with ONVIF Device Test Tool Version 16.07.
"You expect this sort of thing from no-name Chinese camera makers, but a high profile company like Sony?"
In the case of that bunch of 0*(^$()%$^^&(*^*(&*%%$^GIUH&^$%^&^H^&%&^%^&*^HBs, most very definitely yes, and worse.
The sooner they spontaneously ignite the better.
Burn, B*s***ds, BURN.
Security is an industry (IoT) wide problem and for me, goes hand in hand with privacy concerns. I take issue with devices that require a server component that gives a company access to information on what I'm doing, where and how etc. All of the information in the servers should be held within my domain, under my control. That means that either it's all encrypted so that only I can access it, or it's held locally on my devices (or both).
Maybe there's a business case for a new company called elgoog. A company that charges a fair price for the services it offers and guarantees (within the bounds of its control) that your data remains your own.
I accept that the IoT servers will always be required so long as residences don't have fixed IP addresses. If elgoog is serious though, it doesn't need much more information than IP address and basic information about the device.
At least I now know of one CCTV cam that has at least some basic security available.
I've been avoiding Sony ever since the DRM rootkit.
I've been avoiding Sony ever since the DRM rootkit.I've been avoiding Sony ever since my professional monitor took 5 months to be fixed. I was yelled at on the phone for asking about progress 4 months after handing it over to the local Sony agent. Local computer dealer (Hobart) said: "You reckon that's bad. Mine took 5 months to be fixed and came back with a new fault that took another 5 months to be fixed!"
At least I got my money back on the DRM Sony music CD I purchased. The shop owner (Stefan)* said: "Since you're such a good customer, here's your money back!" and threw the banknotes in my face.
* Everyone in Hobart has a story about Stefan!