Insecure Security Cameras

Software development is an iterative process. Dozens or even hundreds of times a day, a developer will re-compile their code, upload it to a test device, test, and iterate through this process in order to add features and remove bugs from the software.  They’ll usually have a preset development password and automated processes that allow them to test the code without having to re-enter the password manually every single time.

However, time and time again, we’re seeing vulnerabilities in security devices caused by these development passwords and development backdoor access. The passwords aren’t readily viewable or discoverable – however, in the case with Sony’s IPELA Engine IP camera, security researchers identified a hashed password, along with testing credentials that could be used to enable a log-in service for those cameras. While the development password hasn’t been discovered, it’s only a matter of time until it’s cracked.

This was the latest vulnerability found in dozens of announced camera and surveillance system vulnerabilities, part of hundreds of vulnerabilities found in network-connected devices and appliances in the last two years.  Once compromised, a hacker can start analyzing activity on the rest of your network and use the camera as a launch point for attacks on your data.

Sony has released a firmware update, but most owners of this system are unaware of the issue, nor vulnerability issues on other devices connected to their network. Contact RWA to schedule a free health check, and we’ll analyze the state of your network, devices, servers, and workstations and work with you on the next steps to secure your environment and protect your investments in information technology.