“Baffling” Backdoor Cyber-Talks
Before I begin let me first explain for those who may not yet be aware that the AV industry locked into a story on January 21st involving AMX by Harman and backdoors. Posts began to appear on Twitter, and I will say that prior to these tweets appearing I had already known what had taken place, as I follow cybersecurity in social media mostly on Twitter and LinkedIn. Now I’m not saying that the industry is baffled, actually the industry was on top of this and that’s a good thing, as we are hearing more security discussions around AV and the network as well as IoT- again all good. I will be getting to that part of the blog title.
So we’re all on the same page here a backdoor is a means of access to a computer program that in essence bypasses security mechanisms. A backdoor may be installed so that the program can be accessed for troubleshooting or other purposes. A backdoor can be considered a potential security risk.
Many who have been discussing this issue claimed Ars Technica to be the first to break the story (and referenced a later CNN Money article as well), however if you check timelines, Ars Technica published the story at 1:44 p.m. while Forbes published this article Baffling ‘Batman’ Backdoor Busted In Comms Used By Global Governments at 8:00 a.m. I had found out about the article written by Thomas Fox-Brewster that morning (you can check him out at @iblametom) — seems like the kind of story he likes to really sink his teeth into.
And actually I was a bit baffled when I saw it, trying to make heads and tails of an article that referenced DC Comics superheroes and even included an image of a Batman impersonator next to the Batmobile in public.
It is known through the Forbes article that researchers from Austrian firm SEC Consult, the original source of this information, had uncovered what they claimed were “deliberately hidden” backdoors in products from AMX by Harman, as we know a provider of conference room communications and control systems for corporate, education and government entities. In terms of highest profile in the U.S., AMX equipment is used in the White House.
One should note that AMX devices are tested and approved by the US DoD as JITC certified secure command and control, conference, training and briefing room solutions. AMX by Harman states that the Enova® DVX All-In-One Presentation Switcher Series is the only certified conference room control and switching solution listed on DISA’s Unified Capabilities (UC) Approved Products List (APL). Here is a link to this statement. I have also been made aware that the Defense Information Systems Agency (DISA) performs highly stringent testing on any equipment to be utilized by the DOD.
This all was determined by SEC Consult after analyzing the AMX NX-1200 NetLinx NX Integrated Controller, and researchers first became suspicious after encountering a function called “setUpSubtleUserAccount” that added a highly privileged account with a hard-coded password to the list of users authorized to log in.
SEC Consult in their Jan. 21st blog Deliberately hidden backdoor account in several AMX (HARMAN Professional) devices specified that in early 2015 they decided to take a look into the security of a conference room solution provided by AMX, coming up with the aforementioned information concerning their research.
After detailing how strings in the program revealed an interesting detail about the vendor’s security strategy, they went on to state this in the blog:
AMX apparently called for a little extra help in the universe of Marvel superheroes to protect their products (and coincidentally also the U.S. military) from the evil super villain hackers. At least that is what we assume, because the expert spy and top S.H.I.E.L.D. agent Black Widow has her own personalized account on the device.
“Natasha Romanova, known by many aliases, is an expert spy, athlete, and assassin. Trained at a young age by the KGB’s infamous Red Room Academy, the Black Widow was formerly an enemy to the Avengers. She later became their ally after breaking out of the U.S.S.R.’s grasp, and also serves as a top S.H.I.E.L.D. agent”
Like most superheroes, Black Widow prefers to stay under the radar, not requesting any credit for her heroic actions. Because of that, the vendor made an effort in hiding her details from eyes of innocent admins and users alike:
You can read on in the blog as they then introduce “Batman,” as well as further information concerning their stated contact with AMX by Harman.
If you read the Fox-Brewster article, you’ll see how he led off with an incident involving Juniper Networks and a very dangerous backdoor situation — can we remotely determine a situation of such proportions taking place here? Well, if NSA involvement had taken place here, as it did in the Juniper incident, then quite possibly. We do see a situation here that could have been a potential risk, as well as possibly approached in certain better ways as well.
SEC Consult, self-designated as an international leader in application security services and information security consultancy, decided to write a half fun-poking DC comic book superheroes blog on what was certainly considered to be a serious matter in terms of backdoors, where it actually can be as highlighted in this article Juniper Breach Reflects Risk of ‘Back Doors’: Researchers. Do the Juniper Networks and AMX by Harman scenarios, pasted together in the Forbes article, show a nefarious bond in any capacity? Hardly.
Two things were specified in the Forbes article though concerning the AMX by Harman backdoor situation:
- The backdoors might not have been so straightforward to exploit by an outside hacker, as they would have to gain access to the target network, most likely through a separate attack, or via an insider.
- It’s unclear what kinds of data could be stolen using the accounts. Johannes Greil, who heads up SEC Consult Vulnerability Lab, said his company had only analyzed the firmware and had not gone any deeper to see what an attacker could do.
An attacker with knowledge of the account credentials can obtain administrator access on the device.
|Apply an update
AMX has released an update for some devices. Affected users are encouraged to contact Harman’s support line for more information on obtaining the update.
If you are a vendor and your product is affected, let us know.
Here is an official statement from AMX by Harman :
First, we want to clarify the risks and terms being discussed. “Black widow” was an internal name for a legacy diagnostic and maintenance login for customer support of technical issues. Commonly used in legacy systems, it was not “hidden” as suggested, nor did it provide access to customer information. While such a login is useful for diagnostics and maintenance, during our routine security review in the summer of 2015, we determined that it would be prudent to eliminate this feature as part of a comprehensive software update. We informed our customers and the update was deployed in December 2015.
“1MB@tMaN” was an entirely different internal feature that allowed internal system devices to communicate. It was not an external login nor was it accessible from outside of the product. The “1MB@tMaN” internal system device capability also was not related to nor a replacement for the “Black Widow” diagnostic login. The only connection was the fact that our software update that eliminated “Black Widow” also provided an update to the “1MB@tMaN” internal capability that eliminated this name.
In terms of the names, these were lighthearted internal project names that our programmers used with no intended meaning.
We take security very seriously and are continuously testing our own systems and capabilities and developing more sophisticated updates.
There were other statements issued as well — this was a statement included in a customer letter speaking to potential breach scenario:
First and foremost, we are not aware of any breaches of any of our systems. “Black widow” was an internal name for a legacy diagnostic and maintenance login for customer support of technical issues. Commonly used in legacy systems, it was not “hidden” as suggested, nor did it provide access to customer information. While such a login is useful for diagnostics and maintenance, during our routine security review in the summer of 2015, we determined that it would be prudent to eliminate this feature as part of a comprehensive software update.
Will there be more out of AMX by Harman on this? Not sure, but let’s wait and see.
Hats off to the AV industry for picking up on this story and bringing up to the minute conversation and perspectives as we get deeper into security discussion about AV, the network and even IoT. Security discussion, as I and others have been stating, needs to continue and profile to such discussions also increase throughout the industry. It can also be stated that this may serve as a model for the industry where security determinations are concerned in the future.