Sony’s Professional Grade IPELA Cameras Vulnerable To Mirai Botnet Recruitment Via Backdoor Exploit

Over the past few months, we’ve witnessed the Mirai botnet wreak havoc with IoT devices like consumer webcams, DVRs and security cameras. These often budget-minded devices were often equipped with insecure software or employed security countermeasures that were easily overpowered.

However, we’re learning today that it isn’t just cheap consumer devices that are susceptible to attacks — even high-end equipment can be compromised if a hacker has enough motivation to dig for exploits. Such is the case with Sony’s professional grade IPELA Engine IP cameras. According to SEC Consult, a backdoor was found on these cameras that would allow a would-be attacker to inject code and further penetrate a network.

sony ipela

Considering that these cameras are used by businesses and government institutions, such a vulnerability is rather severe and should not be taken lightly. “An attacker can use cameras to take a foothold in a network and launch further attacks, disrupt camera functionality, send manipulated images/video, add cameras into a Mirai-like botnet or to just simply spy on you,” writes SEC Consult.

As of this writing, 80 different Sony cameras are vulnerable to this backdoor. Access to the cameras is made possible by two separate login accounts that are not listed in documentation for the IPELA cameras: primana and debug. Using the username/password combination of primana/primana or debug/popeyeConnection grants access to the cameras. The backdoor allows hackers login via Telnet/SSH and gain full access to the Linux shell with root privileges.

It’s only a matter of time before these username/password combinations make their way into Mirai’s master list, turning these high-end cameras into mindless zombies.

“We believe that this backdoor was introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing) and not an "unauthorized third party" like in other cases (e.g. the Juniper ScreenOS Backdoor, CVE-2015-7755),” SEC Consult continues.

SEC Consult first contacted Sony about the backdoor in October, and Sony released updated firmware for affected cameras on November 28th (which can be downloaded here). The question now is how many of the corporations and governments that operate these cameras know that they are vulnerable and that there is firmware to mitigate the security risk?