04:10 PM
Connect Directly

AMX Harman Disputes Deliberately Hiding Backdoor In Its Products

Control systems for AV, lighting, and other equipment used widely by the White House, Fortune 100, government, and defense agencies likely affected.

Multiple AMX Harman systems used for controlling audiovisual, lighting, heating, and other equipment in Fortune 100 companies, government organizations, and possibly even the White House, contain a deliberately hidden backdoor, SEC Consult, a Vienna, Austria-based security consulting firm warned this week.

But AMX Harman today said the backdoor is not hidden and is merely a legacy diagnostic and maintenance login for customer support of technical issues.

Even so, “during our routine security review in the summer of 2015, we determined that it would be prudent to eliminate this feature as part of a comprehensive software update,” Harman’s senior director of corporate communication Darrin Shewchuk said in comments to Dark Reading. “We informed our customers and the update was deployed in December 2015.”

According to SEC Consult, someone with knowledge of the backdoor could use it to gain complete control of the vulnerable equipment and gain privileges on the system and the associated network segment that even the system administrator would not have, the security firm said.

Johannes Greil, the head of SEC Consult’s vunerability lab, said the backdoor is rigged such that the system tries to actively hide it from user management interfaces. He said SEC first contacted AMX Harman about the issue last March, and the company issued a new version of the software allegedly addressing the problem about seven months later.

However, an inspection of the new version revealed that the only thing AMX Harman had done was to rename the hidden account from “BlackWidow” to “1MB@tMaN," which is leet-speak for "I am Batman."

“They didn’t change the password, only the user name,” Greil told Dark Reading today. “Someone with knowledge of the backdoor could completely compromise the affected devices over the network, and due to the highest privileges of the backdoor account, also start sniffing attacks within the network segment,” he says. 

The impact of such an attack would depend on the network configuration of the customer, Greil says. Typically, most of the affected devices are used within internal networks, but that doesn’t mean they cannot be reached from the outside if the network segmentation is weak. Some organizations are also likely to have made the system accessible via the Internet as well, according to Greil.

Also, many AMX touch panels are Ethernet-connected or reachable over some wireless connection, and can communicate with a vulnerable controller. “If you use the same network socket, for example, within a meeting room and don't have any extra security controls in place, an attacker could maybe also start from there,” Greil says.

SEC Consult made several attempts in subsequent months to get AMX to address the issue. AMX itself today claimed it had issued an update that eliminated the backdoor back in December. But according to SEC’s vendor contact timeline, AMX did not issue a hotfix until January 15, about two days before the security firm alerted local CERT teams and US-CERT on the issue.

Because the hotfix was released without SEC Consult being notified, the company has not had a chance to verify if it really works on all affected products, Greil says.

AMX’s Shewchuk refuted SEC’s claim that it had merely changed the login name from Black Widow to 1MB@tMaN when it issued the first software update last year. “1MB@tMaN was an entirely different internal feature that allowed internal system devices to communicate,” he says. “It was not an external login nor was it accessible from outside of the product.”

“The only connection was the fact that our software update that eliminated 'Black Widow' also provided an update to the “1MB@tMaN” internal capability that eliminated this name,” he says.

AMX Harman is part of Harman Professional Division, a manufacturer of a professional AV, entertainment, lighting, and control systems. AMX, which bills itself as a vendor of “AV for the IT world," has numerous customers among Fortune 100 companies, universities, and government agencies.

Its list of government customers in the US include the White House Press Secretary’s Office, the US Air Force’s Andrew’s Joint Air Force Base, US Marine Core Tactical Services, and the Naval War College. Several of the affected products are tested and certified for use by the US DoD.

Greil says his company stumbled upon the issue when doing a crash-test analysis on an AMX NX-1200 system, a programmable network device used to control AV equipment and building technology in relatively small facilities.

While analyzing the application binary, SEC Consult uncovered a function called "setUpSubtleUserAccount," which when implemented adds an administrative account to the internal user database.

“Functions to retrieve a list of all users in the database were found to deliberately hide this user,” SEC Consult said in its advisory. Further investigation showed at least 30 other AMX products to have the same issue.

Greil declined to speculate on the possible reasons why a manufacturer would include such a hidden backdoor account. “We only found evidence that it has been put there on purpose. It is deliberately hidden in the user management interface - hence it most likely is not some leftover from development.”


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
Christian Bryant,
User Rank: Ninja
1/23/2016 | 12:34:48 PM
Software Accountability and Opened Sources
Seems this is going to be the year of mega corporations being held accountable for hidden access points, undocumented data mining and data reporting fraud.  At least, let's hope it will be.  You see, for years we (Free and Open Source Software [FOSS] advocates) campaigned for the source to be freed, for software to be opened up by companies like Microsoft, Sun Microsystems and Apple.  There was some progress, but for the most part it's still a closed digital world out there.  Sadly, for companies who continue to incorporate hidden "features" like this to be found out, it takes hacking, reverse engineering and other methods to expose them.  

Now, I'm not going to pull out my FOSS soap box, but shouldn't this tell you something?  With the recent Volkswagen exposure - unconscionable, by the way - we as an industry need to start holding corporations accountable, and stop allowing them to ask for these types of "features".  I 'm sure not all software engineers have a conscious, but I know the great majority of us do.  Money might be the root of all evil, but someone is writing the code that is allowing the mega corporations to pull these dastardly deeds off.  While AMX Harman may not be at the same level of wrong-doing as Volkswagen's acts, it still reveals a level of apathy that will keep us in this mess unless the industry takes a stand.

To the mega corporations and the people who made the decisions to do these things remember, you use software, too...
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.