The unprecedented denial-of-service attacks powered by the Mirai Internet of Things worm have harnessed crappy, no-name CCTVs, PVRs, and routers to launch unstoppable floods of internet noise, but it’s not just faceless Chinese businesses that crank out containerloads of vulnerable, defective-by-design gear — it’s also name brands like Sony.
A new report from SEC Consult reveals that Sony’s enterprise-grade IPELA Engine IP Cameras (intended for use by government agencies and businesses) have a seemingly deliberate backdoor that has been present for at least four years, which takes the form of two undocumented accounts called "primana" and "debug." Once these usernames are added to Mirai’s arsenal of login/password guesses, the worm will find it easy to take them over, too.
That’s significant for two reasons: first, because it represents a large pool of vulnerable devices that can make Mirai attacks even worse, and second, because Mirai doesn’t need to confine its mischief to harnessing one person’s device to attack another person — Mirai could be modified to take over vulnerable devices and use them to stage attacks on other devices on the local network. A vulnerable device on your LAN is a potential gateway to all its systems, and that’s bad news for the grownup businesses and agencies that trusted Sony over no-name cheapie vendors.
Of course, that doesn’t mean you’re better off buying no-names! Cybereason reports that it’s found equally devastating vulnerabilities in white-label IP cameras sold under many different brand-names on Ebay and Amazon — these cameras can be take over via the internet through the shared password "888888" — and these devices default to opening holes in your firewall through a peer-to-peer NAT traversal service. That means that they’re vulnerable even if you have them behind a firewall.
These white-label devices are especially pernicious because it’s hard to produce a list of all the vulnerable systems, as they traffic under so many names. Last March, Rotem Kerner revealed that a single Chinese manufacturer was behind over 70 different brands of vulnerable DVRs that thieves had used to break into merchants’ networks to monitor their CCTVs and plan their robberies.
But Cybereason’s team found that they could easily exploit these devices even if they were set up behind a firewall. That’s because all of these cameras ship with a factory-default peer-to-peer (P2P) communications capability that enables remote “cloud” access to the devices via the manufacturer’s Web site — provided a customer visits the site and provides the unique camera ID stamped on the bottom of the devices.
Although it may seem that attackers would need physical access to the vulnerable devices in order to derive those unique camera IDs, Cybereason’s principal security researcher Amit Serper said the company figured out a simple way to enumerate all possible camera IDs using the manufacturer’s Web site.
“We reverse engineered these cameras so that we can use the manufacturer’s own infrastructure to access them and do whatever we want,” Serper said. “We can use the company’s own cloud network and from there jump onto the customer’s network.”
Researchers Find Fresh Fodder for IoT Attack Cannons [Brian Krebs/Krebs On Security]