A supplier for audio-visual equipment to the US federal government on Thursday issued an update to its products that removed a potential backdoor that could allow “higher privileges than even administrative access to the system via the backdoor,” according to the researchers who first reported it.
AMX, a division of the audio-visual company Harman, is a company that supplies video conferencing equipment to the U.S. government, the U.S. military and other sensitive customers.
When auditing the binaries for the one of the central controller systems (AMX NX-1200), a team of security researchers from SEC Consult, an Austria-based independent secure research firm, found a function named SetUpSubtleUserAccount. The researchers subsequently found the same SetUpSubtleUserAccount function in more than two-dozen other AMX devices. In early 2015, SEC Consult reported the flaw to the manufacturer. The original advisory is dated March 10, 2015.
“Someone with knowledge of the backdoor could completely reconfigure and take over the device and due to the highest privileges also start sniffing attacks within the network segment,” SEC Consult researcher Johannes Greil told Ars Technica. “We did not see any personal data on the device itself, besides other user accounts which could be cracked for further attacks.”
In particular the researcher found a hidden admin account that used the name of a Marvel comics superhero, Black Widow. Unfortunately, AMX didn’t immediately respond with a patch.
In fact, according to the researchers, it was another seven months before AMX did post a patch. Even then, when the researchers thoroughly examined the fix, they found that AMX merely changed the name of the hidden account from a Marvel character to one from DC comics – from BlackWidow to 1MB@tMaN.
AMX disputed that the names were based on comic book superheroes, telling Ars Technica they were only light hearted project names.
“First, “Black widow was an internal name for a legacy diagnostic and maintenance login for customer support of technical issues. Commonly used in legacy systems, it was not “hidden” as suggested, nor did it provide access to customer information. While such a login is useful for diagnostics and maintenance, during our routine security review in the summer of 2015, we determined that it would be prudent to eliminate this feature as part of a comprehensive software update. We informed our customers and the update was deployed in December 2015.
“1MB@tMaN” was an entirely different internal feature that allowed internal system devices to communicate. It was not an external login nor was it accessible from outside of the product. The “1MB@tMaN” internal system device capability also was not related to nor a replacement for the “Black Widow” diagnostic login. The only connection was the fact that our software update that eliminated “Black Widow” also provided an update to the “1MB@tMaN” internal capability that eliminated this name.
This week, AMX published a new release of its NX v1.4.65 firmware. The researchers have yet to confirm the account function was removed, but were informed by the vendor that it was. Additionally, SEC Consult said “our contact stated that AMX will be starting a major security initiative which is a very good thing to do!”