Sony closes back door in IoT-connected surveillance cameras

Sony closes back door in IoT-connected surveillance cameras [Image: stnazkul via iStock]

Sony has closed a back door in a number of its surveillance cameras connected to the Internet of Things (IoT).

Revealed by security firm SEC Consult, the vulnerability could have allowed hackers to gain admin access to the devices.

The affected Sony IPELA Engine IP Cameras are typically used by businesses and authorities, which would have led to sensitive data being compromised if they had been attacked.

According to SEC Consult, attackers could “use cameras to take a foothold in a network and launch further attacks, disrupt camera functionality, send manipulated images/video, add cameras into a Mirai-like botnet or to just simply spy on you”.

The company added: “This vulnerability affects 80 different Sony camera models. Sony was informed by SEC Consult about the vulnerability and has since released updated firmware for the affected models.”

In its advisory, SEC Consult said: “Sony IPELA ENGINE IP Cameras contain multiple backdoors that, among other functionality, allow an attacker to enable the Telnet/SSH service for remote administration over the network. Other available functionality may have undesired effects to the camera image quality or other camera functionality.”

The company explained that the vulnerabilities are “exploitable in the default configuration over the network”. Exploitation over the internet is possible, if the web interface of the device is exposed, it added.

Sony has since issued a firmware update, which eliminated the vulnerability. In an acknowledgement on its website, Sony said: “We are grateful to SEC Consult for their assistance in enhancing network security for our network cameras.”

The reported vulnerability has raised questions about the security of the IoT. It follows a planned attack on the IoT, which hacked cameras and other connected devices and caused a massive internet outage in the US.