Vulnerabilities Discovered in Government AV Equipment
An Austrian consulting firm, SEC Consult, found a backdoor in a central controller system product designed by Texas-based manufacturer AMX (part of Harman International). The company provides audio and visual control systems used for conferencing for many organizations that transmit and store sensitive information, including the government, military, educational and healthcare industries.
The backdoor makes it possible to set up an admin account that can sniff the local network without any prior privileges. A function called “setUpSubtleUserAccount” adds the admin account to the internal user database. The account can be used to log onto the web interface and SSH with a hard-coded password, and capture data packets from a target network.
According to SEC, their business recommendation is to obviously not use AMX products until the issues have been resolved, as attackers can completely compromise affected devices. They can gain even higher privileges than admin access to the system via the backdoor.
The backdoor was found last year, but a series of discoveries and events since point to the deliberation and persistence involved in keeping it alive:
- The created account was deliberately hidden from the plain-text list of admins accounts, evading functions to retrieve a list of all users
- Seven months after the initial report of a backdoor, AMX released an update that fixed the problem - but the “fix” was actually just a new set of backdoor credentials
- The first set of hardcoded credentials included the username BlackWidow, while a second backdoor username was changed to Batman in leetspeak: 1MB@tMaN - a very clever switch from Marvel to DC, indeed
From SEC’s security advisory timeline:
If you don’t know who Batman is, you may be beyond my help, but Black Widow is a somewhat lesser known Marvel character also known as Natasha Romanova, expert spy and assassin trained from a young age by the KGB. She was trained in martial arts, psychology and computer hacking. But then she turned good and became an ally to the Avengers as a top agent for the fictional spy agency, S.H.I.E.L.D.
Anyway, AMX recently released firmware updates for the affected products, however, the updates are untested by SEC Consult, so it’s not clear if the fix is effective.
A statement from AMX claims the backdoor was intended to be used as diagnostics tools for maintenance, and not intended for hacking purposes. However, it does pose some serious security issues, allowing an attacker to spy on a network connected to their conferencing/AV devices and gain super administrative rights. While it may make life for support technicians (the good guys) easier, it also makes it easy for remote hackers (the bad guys) to access information from government clients.
Threatpost reports that some of the company’s conferencing equipment is used by clients such as the White House, the U.S. Marine Corps Tactical Services Operations Center, Joint Base Andrews (Air Force One), the Naval War College, and other critical government and military operations.