04:10 PM
Connect Directly

AMX Harman Disputes Deliberately Hiding Backdoor In Its Products

Control systems for AV, lighting, and other equipment used widely by the White House, Fortune 100, government, and defense agencies likely affected.

Multiple AMX Harman systems used for controlling audiovisual, lighting, heating, and other equipment in Fortune 100 companies, government organizations, and possibly even the White House, contain a deliberately hidden backdoor, SEC Consult, a Vienna, Austria-based security consulting firm warned this week.

But AMX Harman today said the backdoor is not hidden and is merely a legacy diagnostic and maintenance login for customer support of technical issues.

Even so, “during our routine security review in the summer of 2015, we determined that it would be prudent to eliminate this feature as part of a comprehensive software update,” Harman’s senior director of corporate communication Darrin Shewchuk said in comments to Dark Reading. “We informed our customers and the update was deployed in December 2015.”

According to SEC Consult, someone with knowledge of the backdoor could use it to gain complete control of the vulnerable equipment and gain privileges on the system and the associated network segment that even the system administrator would not have, the security firm said.

Johannes Greil, the head of SEC Consult’s vunerability lab, said the backdoor is rigged such that the system tries to actively hide it from user management interfaces. He said SEC first contacted AMX Harman about the issue last March, and the company issued a new version of the software allegedly addressing the problem about seven months later.

However, an inspection of the new version revealed that the only thing AMX Harman had done was to rename the hidden account from “BlackWidow” to “[email protected]," which is leet-speak for "I am Batman."

“They didn’t change the password, only the user name,” Greil told Dark Reading today. “Someone with knowledge of the backdoor could completely compromise the affected devices over the network, and due to the highest privileges of the backdoor account, also start sniffing attacks within the network segment,” he says. 

The impact of such an attack would depend on the network configuration of the customer, Greil says. Typically, most of the affected devices are used within internal networks, but that doesn’t mean they cannot be reached from the outside if the network segmentation is weak. Some organizations are also likely to have made the system accessible via the Internet as well, according to Greil.

Also, many AMX touch panels are Ethernet-connected or reachable over some wireless connection, and can communicate with a vulnerable controller. “If you use the same network socket, for example, within a meeting room and don't have any extra security controls in place, an attacker could maybe also start from there,” Greil says.

SEC Consult made several attempts in subsequent months to get AMX to address the issue. AMX itself today claimed it had issued an update that eliminated the backdoor back in December. But according to SEC’s vendor contact timeline, AMX did not issue a hotfix until January 15, about two days before the security firm alerted local CERT teams and US-CERT on the issue.

Because the hotfix was released without SEC Consult being notified, the company has not had a chance to verify if it really works on all affected products, Greil says.

AMX’s Shewchuk refuted SEC’s claim that it had merely changed the login name from Black Widow to [email protected] when it issued the first software update last year. “[email protected] was an entirely different internal feature that allowed internal system devices to communicate,” he says. “It was not an external login nor was it accessible from outside of the product.”

“The only connection was the fact that our software update that eliminated 'Black Widow' also provided an update to the “[email protected]” internal capability that eliminated this name,” he says.

AMX Harman is part of Harman Professional Division, a manufacturer of a professional AV, entertainment, lighting, and control systems. AMX, which bills itself as a vendor of “AV for the IT world," has numerous customers among Fortune 100 companies, universities, and government agencies.

Its list of government customers in the US include the White House Press Secretary’s Office, the US Air Force’s Andrew’s Joint Air Force Base, US Marine Core Tactical Services, and the Naval War College. Several of the affected products are tested and certified for use by the US DoD.

Greil says his company stumbled upon the issue when doing a crash-test analysis on an AMX NX-1200 system, a programmable network device used to control AV equipment and building technology in relatively small facilities.

While analyzing the application binary, SEC Consult uncovered a function called "setUpSubtleUserAccount," which when implemented adds an administrative account to the internal user database.

“Functions to retrieve a list of all users in the database were found to deliberately hide this user,” SEC Consult said in its advisory. Further investigation showed at least 30 other AMX products to have the same issue.

Greil declined to speculate on the possible reasons why a manufacturer would include such a hidden backdoor account. “We only found evidence that it has been put there on purpose. It is deliberately hidden in the user management interface - hence it most likely is not some leftover from development.”


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
Christian Bryant,
User Rank: Ninja
1/23/2016 | 12:34:48 PM
Software Accountability and Opened Sources
Seems this is going to be the year of mega corporations being held accountable for hidden access points, undocumented data mining and data reporting fraud.  At least, let's hope it will be.  You see, for years we (Free and Open Source Software [FOSS] advocates) campaigned for the source to be freed, for software to be opened up by companies like Microsoft, Sun Microsystems and Apple.  There was some progress, but for the most part it's still a closed digital world out there.  Sadly, for companies who continue to incorporate hidden "features" like this to be found out, it takes hacking, reverse engineering and other methods to expose them.  

Now, I'm not going to pull out my FOSS soap box, but shouldn't this tell you something?  With the recent Volkswagen exposure - unconscionable, by the way - we as an industry need to start holding corporations accountable, and stop allowing them to ask for these types of "features".  I 'm sure not all software engineers have a conscious, but I know the great majority of us do.  Money might be the root of all evil, but someone is writing the code that is allowing the mega corporations to pull these dastardly deeds off.  While AMX Harman may not be at the same level of wrong-doing as Volkswagen's acts, it still reveals a level of apathy that will keep us in this mess unless the industry takes a stand.

To the mega corporations and the people who made the decisions to do these things remember, you use software, too...
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.