A backdoor has been detected in Sony IPELA Engine IP Cameras that could enable attackers to gain control and run arbitrary code on the devices.
Once infiltrated, a miscreant could gain access to the network to "launch further attacks, disrupt camera functionality, send manipulated images/video, add cameras into a Mirai-like botnet or to just simply spy on you," says the report from Austria-based SEC Consult. The flaw affects 80 Sony models of the professional-level cameras, used by enterprises and authorities.
Upon analysis of the code, SEC Consult said it believed the backdoor was embedded by Sony developers purposely – "maybe as a way to debug the device during development or factory functional testing." Sony did not respond to the security consultancy's queries about the purpose of the backdoor.
While Sony was notified of the flaw by SEC Consult and has since patched the backdoor with a firmware update, the bug points up concerns expressed repeatedly by security experts around inadequate security included in Linux-powered internet-connected, or so-called Internet of Things (IoT) devices.
Sony issued an advisory urging camera owners to update the firmware.