04:10 PM
Connect Directly

AMX Harman Disputes Deliberately Hiding Backdoor In Its Products

Control systems for AV, lighting, and other equipment used widely by the White House, Fortune 100, government, and defense agencies likely affected.

Multiple AMX Harman systems used for controlling audiovisual, lighting, heating, and other equipment in Fortune 100 companies, government organizations, and possibly even the White House, contain a deliberately hidden backdoor, SEC Consult, a Vienna, Austria-based security consulting firm warned this week.

But AMX Harman today said the backdoor is not hidden and is merely a legacy diagnostic and maintenance login for customer support of technical issues.

Even so, “during our routine security review in the summer of 2015, we determined that it would be prudent to eliminate this feature as part of a comprehensive software update,” Harman’s senior director of corporate communication Darrin Shewchuk said in comments to Dark Reading. “We informed our customers and the update was deployed in December 2015.”

According to SEC Consult, someone with knowledge of the backdoor could use it to gain complete control of the vulnerable equipment and gain privileges on the system and the associated network segment that even the system administrator would not have, the security firm said.

Johannes Greil, the head of SEC Consult’s vunerability lab, said the backdoor is rigged such that the system tries to actively hide it from user management interfaces. He said SEC first contacted AMX Harman about the issue last March, and the company issued a new version of the software allegedly addressing the problem about seven months later.

However, an inspection of the new version revealed that the only thing AMX Harman had done was to rename the hidden account from “BlackWidow” to “[email protected]," which is leet-speak for "I am Batman."

“They didn’t change the password, only the user name,” Greil told Dark Reading today. “Someone with knowledge of the backdoor could completely compromise the affected devices over the network, and due to the highest privileges of the backdoor account, also start sniffing attacks within the network segment,” he says. 

The impact of such an attack would depend on the network configuration of the customer, Greil says. Typically, most of the affected devices are used within internal networks, but that doesn’t mean they cannot be reached from the outside if the network segmentation is weak. Some organizations are also likely to have made the system accessible via the Internet as well, according to Greil.

Also, many AMX touch panels are Ethernet-connected or reachable over some wireless connection, and can communicate with a vulnerable controller. “If you use the same network socket, for example, within a meeting room and don't have any extra security controls in place, an attacker could maybe also start from there,” Greil says.

SEC Consult made several attempts in subsequent months to get AMX to address the issue. AMX itself today claimed it had issued an update that eliminated the backdoor back in December. But according to SEC’s vendor contact timeline, AMX did not issue a hotfix until January 15, about two days before the security firm alerted local CERT teams and US-CERT on the issue.

Because the hotfix was released without SEC Consult being notified, the company has not had a chance to verify if it really works on all affected products, Greil says.

AMX’s Shewchuk refuted SEC’s claim that it had merely changed the login name from Black Widow to [email protected] when it issued the first software update last year. “[email protected] was an entirely different internal feature that allowed internal system devices to communicate,” he says. “It was not an external login nor was it accessible from outside of the product.”

“The only connection was the fact that our software update that eliminated 'Black Widow' also provided an update to the “[email protected]” internal capability that eliminated this name,” he says.

AMX Harman is part of Harman Professional Division, a manufacturer of a professional AV, entertainment, lighting, and control systems. AMX, which bills itself as a vendor of “AV for the IT world," has numerous customers among Fortune 100 companies, universities, and government agencies.

Its list of government customers in the US include the White House Press Secretary’s Office, the US Air Force’s Andrew’s Joint Air Force Base, US Marine Core Tactical Services, and the Naval War College. Several of the affected products are tested and certified for use by the US DoD.

Greil says his company stumbled upon the issue when doing a crash-test analysis on an AMX NX-1200 system, a programmable network device used to control AV equipment and building technology in relatively small facilities.

While analyzing the application binary, SEC Consult uncovered a function called "setUpSubtleUserAccount," which when implemented adds an administrative account to the internal user database.

“Functions to retrieve a list of all users in the database were found to deliberately hide this user,” SEC Consult said in its advisory. Further investigation showed at least 30 other AMX products to have the same issue.

Greil declined to speculate on the possible reasons why a manufacturer would include such a hidden backdoor account. “We only found evidence that it has been put there on purpose. It is deliberately hidden in the user management interface - hence it most likely is not some leftover from development.”


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/23/2016 | 12:34:48 PM
Software Accountability and Opened Sources
Seems this is going to be the year of mega corporations being held accountable for hidden access points, undocumented data mining and data reporting fraud.  At least, let's hope it will be.  You see, for years we (Free and Open Source Software [FOSS] advocates) campaigned for the source to be freed, for software to be opened up by companies like Microsoft, Sun Microsystems and Apple.  There was some progress, but for the most part it's still a closed digital world out there.  Sadly, for companies who continue to incorporate hidden "features" like this to be found out, it takes hacking, reverse engineering and other methods to expose them.  

Now, I'm not going to pull out my FOSS soap box, but shouldn't this tell you something?  With the recent Volkswagen exposure - unconscionable, by the way - we as an industry need to start holding corporations accountable, and stop allowing them to ask for these types of "features".  I 'm sure not all software engineers have a conscious, but I know the great majority of us do.  Money might be the root of all evil, but someone is writing the code that is allowing the mega corporations to pull these dastardly deeds off.  While AMX Harman may not be at the same level of wrong-doing as Volkswagen's acts, it still reveals a level of apathy that will keep us in this mess unless the industry takes a stand.

To the mega corporations and the people who made the decisions to do these things remember, you use software, too...
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version that could allow a malicious user with local access to execute code with administrative privileges.
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.