What a botnet begins with: a dangerous backdoor found in Sony IP cameras

Botnets built from hundreds of thousands of infected devices of the “Internet of Things” have become one of the main trends in the cyber threats of the outgoing year - and apparently will be just as popular next year. However, it is possible to predict such threats (and fight them) several years earlier. Recently, talking about botnets based on DVR systems and webcams , we recalled that our researchers had warned about the vulnerabilities of such devices back in 2013 .

Recently, researchers from SEC Consult discovered a vulnerability that allows you to attack 80 models of Sony IPELA Engine IP cameras, turning them into botnets or using espionage. An interesting feature is that remote access, which is used to attack (Telnet), is disabled in these cameras. However, the backdoor left by the developers allows it to be included by a secret team.
')
As the researchers report, at first they found files containing password hashes for admin and root users in the camera firmware:



The first of the passwords turned out to be quite classic - it coincides with the username (admin: admin). The password for the root user can also be obtained from the hash. Such data can be used to gain access to the device through a physical port, either remotely, via Telnet or SSH - the authors of the Mirai botnet used this opportunity to search for routers with default passwords such as admin: admin.

However, in this case, the situation was more cunning. Formally, Sony cameras do not allow Telnet access. Nevertheless, it turned out that the developers of the camera firmware had left such an opportunity for themselves - apparently, for testing. To do this, they wrote a separate code that launches Telnet in response to a special HTTP request. The username and username used for HTTP authentication (primana: primana) are also embedded in the code:



Thus, an attacker, having received all the authorization codes he needs directly from the firmware files, can remotely upload any malicious code to the IP camera, which gives him a wide variety of possibilities - from banal spying and creating botnets to editing camera records (recall that , millions of these vulnerable devices around the world are called “security cameras”).

Researchers report that Sony has already released firmware updates for vulnerable cameras. However, you need to understand that these updates will not reach the goal soon - because webcams, like many other Internet of Things gadgets, do not have user-friendly interfaces, and the actual update culture of such devices has not yet taken shape.

According to Gartner, by 2020 the number of IoT-devices will reach 20 billion, which means that even more objects will appear for mass attacks.

You can learn more about how the security of the “Internet of Things” should be organized at all stages of its creation and use, at the free webinar of Anton Tyurin, head of the development team of attack detection methods at Positive Technologies. A webinar titled “ How to leave an IoT hacker out of work ” will be held on December 15 at 2 pm on the company's website. Register beforehand .

PS We remind you that very soon, with the support of Positive Technologies, Moscow will take a course on asyncio + aiohttp from Core developer Python Andrei Svetlov.

We want to offer one free ticket to the seminar to the author of the best question for Andrei - the question he chooses himself and will answer it during the course. Send your questions to: asyncio2016@ptsecurity.com .