Multiple AMX Harman systems used for controlling audiovisual, lighting, heating, and other equipment in Fortune 100 companies, government organizations, and possibly even the White House, contain a deliberately hidden backdoor, SEC Consult, a Vienna, Austria-based security consulting firm warned this week.
But AMX Harman today said the backdoor is not hidden and is merely a legacy diagnostic and maintenance login for customer support of technical issues.
Even so, “during our routine security review in the summer of 2015, we determined that it would be prudent to eliminate this feature as part of a comprehensive software update,” Harman’s senior director of corporate communication Darrin Shewchuk said in comments to Dark Reading. “We informed our customers and the update was deployed in December 2015.”
According to SEC Consult, someone with knowledge of the backdoor could use it to gain complete control of the vulnerable equipment and gain privileges on the system and the associated network segment that even the system administrator would not have, the security firm said.
Johannes Greil, the head of SEC Consult’s vunerability lab, said the backdoor is rigged such that the system tries to actively hide it from user management interfaces. He said SEC first contacted AMX Harman about the issue last March, and the company issued a new version of the software allegedly addressing the problem about seven months later.
However, an inspection of the new version revealed that the only thing AMX Harman had done was to rename the hidden account from “BlackWidow” to “[email protected]," which is leet-speak for "I am Batman."
“They didn’t change the password, only the user name,” Greil told Dark Reading today. “Someone with knowledge of the backdoor could completely compromise the affected devices over the network, and due to the highest privileges of the backdoor account, also start sniffing attacks within the network segment,” he says.
The impact of such an attack would depend on the network configuration of the customer, Greil says. Typically, most of the affected devices are used within internal networks, but that doesn’t mean they cannot be reached from the outside if the network segmentation is weak. Some organizations are also likely to have made the system accessible via the Internet as well, according to Greil.
Also, many AMX touch panels are Ethernet-connected or reachable over some wireless connection, and can communicate with a vulnerable controller. “If you use the same network socket, for example, within a meeting room and don't have any extra security controls in place, an attacker could maybe also start from there,” Greil says.
SEC Consult made several attempts in subsequent months to get AMX to address the issue. AMX itself today claimed it had issued an update that eliminated the backdoor back in December. But according to SEC’s vendor contact timeline, AMX did not issue a hotfix until January 15, about two days before the security firm alerted local CERT teams and US-CERT on the issue.
Because the hotfix was released without SEC Consult being notified, the company has not had a chance to verify if it really works on all affected products, Greil says.
AMX’s Shewchuk refuted SEC’s claim that it had merely changed the login name from Black Widow to [email protected] when it issued the first software update last year. “[email protected] was an entirely different internal feature that allowed internal system devices to communicate,” he says. “It was not an external login nor was it accessible from outside of the product.”
“The only connection was the fact that our software update that eliminated 'Black Widow' also provided an update to the “[email protected]” internal capability that eliminated this name,” he says.
AMX Harman is part of Harman Professional Division, a manufacturer of a professional AV, entertainment, lighting, and control systems. AMX, which bills itself as a vendor of “AV for the IT world," has numerous customers among Fortune 100 companies, universities, and government agencies.
Its list of government customers in the US include the White House Press Secretary’s Office, the US Air Force’s Andrew’s Joint Air Force Base, US Marine Core Tactical Services, and the Naval War College. Several of the affected products are tested and certified for use by the US DoD.
Greil says his company stumbled upon the issue when doing a crash-test analysis on an AMX NX-1200 system, a programmable network device used to control AV equipment and building technology in relatively small facilities.
While analyzing the application binary, SEC Consult uncovered a function called "setUpSubtleUserAccount," which when implemented adds an administrative account to the internal user database.
“Functions to retrieve a list of all users in the database were found to deliberately hide this user,” SEC Consult said in its advisory. Further investigation showed at least 30 other AMX products to have the same issue.
Greil declined to speculate on the possible reasons why a manufacturer would include such a hidden backdoor account. “We only found evidence that it has been put there on purpose. It is deliberately hidden in the user management interface - hence it most likely is not some leftover from development.”