The last time Hackerfall tried to access this page, it returned a not found error. A cached version of the page is below, or clickhere
to continue anyway
SEC Consult: Deliberately hidden backdoor account in several AMX (HARMAN Professional) devices
Your conference room, a watchful protector.
About the vendor: "AMX (www.amx.com)
is part of the HARMAN Professional Division, and the leading brand for
the business, education, and government markets for the company. As
such, AMX is dedicated to integrating AV solutions for an IT World. AMX
solves the complexity of managing technology with reliable, consistent
and scalable systems comprising control and automation, system-wide
switching and AV signal distribution, digital signage and technology
management. AMX systems are deployed worldwide in conference rooms,
homes, classrooms, network operation/command centers, hotels,
entertainment venues and broadcast facilities, among others."
be fair, their products really do offer a wide variety of features,
which is probably also the reason why US President Barrack Obama is
sometimes seen in front of a control panel by AMX, while sitting in a
meeting at the White House. According to the case studies
have multiple governmental and military bodies equipped with their
conference room gear. This includes but is not limited to the White
House, the U.S. Forces Afghanistan as well as the Center for Strategic
and International Studies (CSIS).
Some of the affected devices seem to be "tested
and approved by the US DoD as a JITC certified secure command and
control, conference, training and briefing room solution
" as well according to this AMX web page
. Further AMX market customer profiles can be accessed here: AMX customer profiles
With that said, lets talk about security.
How AMX (HARMAN Professional) handles security.
early 2015 SEC Consult decided to take a look into the security of a
conference room solution provided by AMX. Let's not waste any words on
the tiring process of getting the binaries out of the small black box
and jump right to the meat of it all.
During the analysis of the authentication procedure of one of the central controller systems (AMX NX-1200
), something strange popped up:
IDA excerpt: "setUpSubtleUserAccount" function
A function, which they decided to call "setUpSubtleUserAccount
And this function does exactly what the name would suggest.
It sets up a
subtle user account. The strings seen in the above screenshot, revealed
an interesting detail about the vendor's security strategy. AMX
apparently called for a little extra help in the universe of Marvel
superheroes to protect their products (and coincidentally also the U.S.
military) from the evil super villain hackers. At least that is what we
assume, because the expert spy and top S.H.I.E.L.D. agent Black Widow
has her own personalized account on the device.
Romanova, known by many aliases, is an expert spy, athlete, and
assassin. Trained at a young age by the KGB's infamous Red Room Academy,
the Black Widow was formerly an enemy to the Avengers. She later became
their ally after breaking out of the U.S.S.R.'s grasp, and also serves
as a top S.H.I.E.L.D. agent"
most superheroes, Black Widow prefers to stay under the radar, not
requesting any credit for her heroic actions. Because of that, the
vendor made an effort in hiding her details from eyes of innocent admins
and users alike:
AMX Master Configuration Manager: Black Widow backdoor account is hidden and does not show up anywhere
the daily work of a superhero, especially for an IT SECURITY SUPERHERO,
is quite challenging, AMX went ahead and implemented some additional
tools like a packet-capture/sniffing facility, to aid the expert spy
Black Widow in the fight against the super villain hackers. These tools
are only available to our superhero as the power they hold should not
be available to simple administrators.
usual, SEC Consult Vulnerability Lab communicated this issue according to our responsible
disclosure policy. Initial contact and exchange of the security advisory
was performed through the European sales team at AMX. About seven
months(!) later AMX provided a fix
for the backdoor. A quick
review of the new firmware showed that the backdoor was still in place
but Black Widow was gone. Did she decide to step down after being
exposed? Did they fire her? Unfortunately we don't have any details on
the reason may be, the vendor decided to hire somebody from the DC
universe this time. Na na na na na na na na ... you guessed it. BATMAN!
But not the usual Batman, the leet-hacker-Batman, who uses numbers and
special characters to write his own name:
IDA excerpt: New backdoor username 1MB@tMaN
time around, we decided (tried) to get in direct contact with somebody
responsible for security at AMX (HARMAN Professional). After numerous
emails requesting a security contact to exchange the information about
the vulnerability, finally somebody replied. We exchanged the security advisory unencrypted, as requested by AMX. Then they went silent again.
Fast forward another
three months to early 2016, we had still not heard back from AMX, despite asking
for a status update several times, and even postponing the release of
the security advisory in order to give them (even) more time for sorting
things out with Batman and Black Widow.
AMX finally replied, informing SEC Consult that they have released firmware
updates for the affected products. These updates are untested and
unconfirmed by SEC Consult.
Grab them here while they're hot: http://www.amx.com/techcenter/NXSecurityBrief/
- we were told that some of the updates can only be retrieved through AMX tech support.
Furthermore, our contact stated that AMX will be starting a major security initiative which is a very good thing to do!
the tech geeks, here is our advisory
with additional technical
information, a contact timeline detailing the communication attempts and
a list of affected devices.
Be aware though, that the backdoor password
is only for agents of S.H.I.E.L.D. and hence will not be disclosed.
Continue reading on blog.sec-consult.com