Backdoor Account Found In Hardware Sold to Whitehouse, Pentagon

A picture of AMX Conferencing hardware at use in the White House. (Image courtesy of SEC Consult.)
A picture of AMX Conferencing hardware at use in the White House. (Image courtesy of SEC Consult.)

In-brief: A firm that sells secure conferencing equipment to the U.S. government and military has acknowledged that it shipped software for the device that contained an undocumented “backdoor” account.

A firm that sells secure conferencing equipment to the U.S. government and military has acknowledged that it shipped software for the device that contained an undocumented “backdoor” account.

AMX, a division of the firm Harman Ltd., issued a software update on Wednesday that finally closes a remotely accessible account that the company claims was used for “debugging” its video conference hardware, including the AMX NX-1200 and other products. The fix came almost one year after the firm was notified of the existence of the back door account by SEC Consult, an independent security research organization.

In an advisory, SEC Consult said the secret, administrative account in the AMX firmware would allow a remote attacker to “completely compromise the affected devices as they can gain
higher privileges than even administrative access to the system via the backdoor.”

The discovery is similar to others that have been made by third party security firms in recent months. In December, the network equipment maker Juniper Networks revealed that a mystery back door program was discovered in software that runs on its NetScreen line of security appliances. Speculation in that incident focused on the NSA or other intelligence agencies. Then, in January, researchers discovered that security appliances shipped by the company Fortinet contained hard coded SSH logins. The company later explained that the secret administrator accounts were placed in the company’s FortiOS by company engineers, who had implemented a secret method of authentication for logging-into FortiOS-powered devices that required the use of a secret passphrase, which was placed within the company’s software.

In the case of AMX, however, the stakes are high. The company is a well-known supplier of video conferencing equipment to the U.S. government and the U.S. military. A list of the company’s customers includes the The White House Press Secretary’s Office, the U.S. Army 82nd Airborne Division, The U.S. Air Forces in Europe Space Operations Center, The Centers for Disease Control and Prevention, and so on.

Researchers at SEC discovered the hole while analyzing an AMX application. Researchers discovered a function  within the binary called “setUpSubtleUserAccount” that adds an administrative account to the internal user database. The account can be used to log on to
the web interface to the device and to connect via secure shell (SSH). Functions within the AMX firmware that list all users in the database did not disclose the secrete account, SEC discovered. And the backdoor account had the ability to access special features not available to traditional administrators, like the ability to capture packets on the device’s network interface via a remote command line interface.

In a blog post describing its discovery, SEC Consult describes a months-long conversation with AMX about the security hole, which it urged the company to close. Among other things, SEC revealed that AMX used the name of a Marvel superhero, Black Widow – a deadly Russian spy – as the name of the hidden, administrator account. Initially presented with SEC’s findings, AMX waited some months before releasing updated firmware that fixed the issue. But SEC discovered that the “fix” was merely a  decision to change the secret account’s name from “BlackWidow” to “1MB@tMaN”.

A few more months of trying resulted in AMX finally removing the back door account altogether with the release of its NX v1.4.65 firmware. The company acknowledged the change in a post on its web page. Among a number of other “specific improvements” in the new firmware were “several enhancements to eliminate potential security vulnerabilities” including  “removed debugging account to prevent security vulnerability.”

The new firmware applies to a wide range of AMX’s NX Series Controllers, Massio ControlPads and Enova DVX All in One Presentation Switchers.

Harmon, AMX’s parent firm, is a supplier to a wide range of industries. The company was recently in the headlines over security vulnerabilities discovered in the UConnect entertainment system hardware and software it sells to Fiat Chrysler. Harmon’s technology was the point of entry for security researchers Chris Valasek and Charlie Miller, who were ultimately able to use vulnerabilities in UConnect to attack critical in-vehicle systems on Fiat Chrysler’s Jeep Cherokee.

Harman has taken steps since then to boost its security capabilities. Most recently, the company announced that it was acquiring TowerSec to enhance the security of its products.