Yet Another IoT Device with Hardcoded Credentials
Last month the Mirai botnet took down Twitter, Amazon and hundreds of other web sites by compromising cheap Chinese web cams and weaponizing them. While the attack was very interesting and could have been a lot worse, I attributed it to it being a cheap Chinese web cam. Hundreds of thousands of them.
Now an Austrian cyber security firm has found a similar but maybe worse issue in a line of expensive Sony Professional IP cameras. The cameras, Ipela Engine cameras, are likely quite expensive.
So what is the problem?
First, there are two hardcoded userid/passwords in the web interface, so if that is exposed to the Internet, anyone who can see it can take over the camera. The hardcoded credentials are:
- debug/popeyerConnection and
- primana/primana
These accounts CANNOT be disabled.
Second, by knowing these account, you can enter some fancy URLs in the browser and turn on Telnet on the device. The strings are:
http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=zKw2hEr9
http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=cPoq2fi4cFk
Sixth-generation cams use the magic string “himitunokagi”, which is Japanese for “secret key”.
This means you will have to do a bit of playing around, but not a whole lot of playing.
Apparently, the Root (admin) password is also hard coded, so if you can crack them, once you have telnetted in, you now are an admin on the device. The hardcoded password hashes are:
$1$$mhF8LHkOmSgbD88/WrM790 (gen-5 models) iMaxAEXStYyd6 (gen-6 models)
The devices also have a default admin account – user admin, password admin, although a person CAN change these credentials if they want to. They do not have to.
The article link below lists models and firmware versions that are vulnerable if you own one of these cameras.
I think the important thing here is that Sony is not some obscure Chinese sweatshop. They are a reputable brand.
How many buyers of these cameras will find out about the vulneralities and the patches?
Worse yet, how many of them will go through the brain damage to figure out how to patch the cameras.
This means that likely, some large percentage of these cameras will be vulnerable until they are crushed in a landfill in 10 years.
And of Sony cameras are vulnerable, what other cameras or other IoT devices are also vulnerable. Hackers are not going to reverse engineer every device out there and announce what they have found.
The vulnerability will allow an attacker to use the camera to attack other networks with impunity since webcams don’t have any audit trail and therefore, finding who hacked the camera is basically impossible.
The vulnerability will also allow an attacker to use the camera to attack ALL of the other devices on the owner’s network, potentially stealing all of the owner’s data or launching a ransomware attack on the owner.
Other than that, this is not much of a problem.
As I have been saying, people using IoT devices need to take extra precautions to protect themselves.
Information for this post came from The Register.