Sony has closed a debug backdoor in 80 if its web-connected surveillance cameras, which – if exploited – could have granted admin access to those devices.
Sony’s fifth-generation Ipela Engine IP CCTV enterprise cameras have been flagged as the offending devices, with the vulnerability being uncovered by Austrian information security company SEC Consult.
SEC Consult found that the firmware of these cameras contained two hardcoded, permanently enabled accounts in the built-in admin console.
They found that when used with magic strings in the URL, unlocks telnet access, allowing theoretical admin access to the camera via a command line.
More recent models were shown to allow the opening of an SSH server as well.
According to a blog post, SEC Consult believes that these backdoors were purposely built into these devices, perhaps as a way to debug devices during development or factory functional testing.
SEC Consult said that such a vulnerability could allow attackers to take a foothold in a network and launch further attacks, disrupt camera functionality, send manipulated images or video, add cameras into a Mirai-like botnet or simply spy on its owners.
Sony has since addressed the vulnerability and issued a firmware update for the affected cameras.
In a statement, the electronics giant said: “We are grateful to SEC Consult for their assistance in enhancing network security for our network cameras.”