Backdoors, Zero-Day Flaws Found in IoT Cameras Made by Sony, Others
Security researchers discover significant vulnerabilities in two separate lines of surveillance video cameras that could allow them to be hacked or made part of an internet of things botnet, researchers say.Two security researchers working separately are warning consumers and enterprises that network-connected video cameras from different manufacturers may not be secure, after researchers found vulnerabilities and backdoor code in the devices that could allow attackers to create internet-of-things botnets or spy on the users. In a research note published on Dec. 6, security firm SEC Consult stated that 80 models of cameras sold under the Sony brand have a backdoor that could allow attackers to take complete control of the devices. In a separate study published the same day, researchers for security firm Cybereason detailed their discovery of two zero-day vulnerabilities in white-box video cameras sold under various brand names on sites such as Amazon and eBay. Hundreds of thousands of devices connected directly to the Internet are vulnerable, and even more may be accessible through a peer-to-peer service, Amit Serper, principal security researcher with Cybereason, told eWEEK. “In about six hours, we came up with two zero-days that allow us to get the password for the camera, no matter how complex it was,” he said. “I’ve reversed engineered hundreds of these types of devices, and this is the worst that I’ve ever seen.”
Serper and Cybereason have attempted to contact the manufacturer, but have not had any luck and there is no fix for the camera. Cybereason recommends that users dispose of the devices instead of continuing to use them.