Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/22/2016
04:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

AMX Harman Disputes Deliberately Hiding Backdoor In Its Products

Control systems for AV, lighting, and other equipment used widely by the White House, Fortune 100, government, and defense agencies likely affected.

Multiple AMX Harman systems used for controlling audiovisual, lighting, heating, and other equipment in Fortune 100 companies, government organizations, and possibly even the White House, contain a deliberately hidden backdoor, SEC Consult, a Vienna, Austria-based security consulting firm warned this week.

But AMX Harman today said the backdoor is not hidden and is merely a legacy diagnostic and maintenance login for customer support of technical issues.

Even so, “during our routine security review in the summer of 2015, we determined that it would be prudent to eliminate this feature as part of a comprehensive software update,” Harman’s senior director of corporate communication Darrin Shewchuk said in comments to Dark Reading. “We informed our customers and the update was deployed in December 2015.”

According to SEC Consult, someone with knowledge of the backdoor could use it to gain complete control of the vulnerable equipment and gain privileges on the system and the associated network segment that even the system administrator would not have, the security firm said.

Johannes Greil, the head of SEC Consult’s vunerability lab, said the backdoor is rigged such that the system tries to actively hide it from user management interfaces. He said SEC first contacted AMX Harman about the issue last March, and the company issued a new version of the software allegedly addressing the problem about seven months later.

However, an inspection of the new version revealed that the only thing AMX Harman had done was to rename the hidden account from “BlackWidow” to “[email protected]," which is leet-speak for "I am Batman."

“They didn’t change the password, only the user name,” Greil told Dark Reading today. “Someone with knowledge of the backdoor could completely compromise the affected devices over the network, and due to the highest privileges of the backdoor account, also start sniffing attacks within the network segment,” he says. 

The impact of such an attack would depend on the network configuration of the customer, Greil says. Typically, most of the affected devices are used within internal networks, but that doesn’t mean they cannot be reached from the outside if the network segmentation is weak. Some organizations are also likely to have made the system accessible via the Internet as well, according to Greil.

Also, many AMX touch panels are Ethernet-connected or reachable over some wireless connection, and can communicate with a vulnerable controller. “If you use the same network socket, for example, within a meeting room and don't have any extra security controls in place, an attacker could maybe also start from there,” Greil says.

SEC Consult made several attempts in subsequent months to get AMX to address the issue. AMX itself today claimed it had issued an update that eliminated the backdoor back in December. But according to SEC’s vendor contact timeline, AMX did not issue a hotfix until January 15, about two days before the security firm alerted local CERT teams and US-CERT on the issue.

Because the hotfix was released without SEC Consult being notified, the company has not had a chance to verify if it really works on all affected products, Greil says.

AMX’s Shewchuk refuted SEC’s claim that it had merely changed the login name from Black Widow to [email protected] when it issued the first software update last year. “[email protected] was an entirely different internal feature that allowed internal system devices to communicate,” he says. “It was not an external login nor was it accessible from outside of the product.”

“The only connection was the fact that our software update that eliminated 'Black Widow' also provided an update to the “[email protected]” internal capability that eliminated this name,” he says.

AMX Harman is part of Harman Professional Division, a manufacturer of a professional AV, entertainment, lighting, and control systems. AMX, which bills itself as a vendor of “AV for the IT world," has numerous customers among Fortune 100 companies, universities, and government agencies.

Its list of government customers in the US include the White House Press Secretary’s Office, the US Air Force’s Andrew’s Joint Air Force Base, US Marine Core Tactical Services, and the Naval War College. Several of the affected products are tested and certified for use by the US DoD.

Greil says his company stumbled upon the issue when doing a crash-test analysis on an AMX NX-1200 system, a programmable network device used to control AV equipment and building technology in relatively small facilities.

While analyzing the application binary, SEC Consult uncovered a function called "setUpSubtleUserAccount," which when implemented adds an administrative account to the internal user database.

“Functions to retrieve a list of all users in the database were found to deliberately hide this user,” SEC Consult said in its advisory. Further investigation showed at least 30 other AMX products to have the same issue.

Greil declined to speculate on the possible reasons why a manufacturer would include such a hidden backdoor account. “We only found evidence that it has been put there on purpose. It is deliberately hidden in the user management interface - hence it most likely is not some leftover from development.”

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
0%
100%
RetiredUser,
User Rank: Ninja
1/23/2016 | 12:34:48 PM
Software Accountability and Opened Sources
Seems this is going to be the year of mega corporations being held accountable for hidden access points, undocumented data mining and data reporting fraud.  At least, let's hope it will be.  You see, for years we (Free and Open Source Software [FOSS] advocates) campaigned for the source to be freed, for software to be opened up by companies like Microsoft, Sun Microsystems and Apple.  There was some progress, but for the most part it's still a closed digital world out there.  Sadly, for companies who continue to incorporate hidden "features" like this to be found out, it takes hacking, reverse engineering and other methods to expose them.  

Now, I'm not going to pull out my FOSS soap box, but shouldn't this tell you something?  With the recent Volkswagen exposure - unconscionable, by the way - we as an industry need to start holding corporations accountable, and stop allowing them to ask for these types of "features".  I 'm sure not all software engineers have a conscious, but I know the great majority of us do.  Money might be the root of all evil, but someone is writing the code that is allowing the mega corporations to pull these dastardly deeds off.  While AMX Harman may not be at the same level of wrong-doing as Volkswagen's acts, it still reveals a level of apathy that will keep us in this mess unless the industry takes a stand.

To the mega corporations and the people who made the decisions to do these things remember, you use software, too...
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/1/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5788
PUBLISHED: 2020-10-01
Relative Path Traversal in Teltonika firmware TRB2_R_00.02.04.3 allows a remote, authenticated attacker to delete arbitrary files on disk via the admin/system/admin/certificates/delete action.
CVE-2020-5789
PUBLISHED: 2020-10-01
Relative Path Traversal in Teltonika firmware TRB2_R_00.02.04.3 allows a remote, authenticated attacker to read the contents of arbitrary files on disk.
CVE-2020-9486
PUBLISHED: 2020-10-01
In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.
CVE-2020-9487
PUBLISHED: 2020-10-01
In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, ...
CVE-2020-9491
PUBLISHED: 2020-10-01
In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues...