“Deliberately hidden” backdoor found on US government’s comms system

Researchers from Austrian infosec outfit SEC Consult have unearthed what they dubbed a “deliberately hidden backdoor account” in NX-1200, a network controller appliance for conference rooms manufactured by AMX, which is used by governmental and military bodies (even the US White House), educational and healthcare institutions, hotels and conference centers all over the US.

Subsequent research showed that other 30+ solutions by AMX also contain the backdoor (a full list can be found in this security advisory).

According to the researchers, they discovered a function that sets up a subtle administrative user account named BlackWidow to the internal user database:

AMX BlackWidow

“This account can be used to log on to the web interface as well as SSH. Functions to retrieve a list of all users in the database were found to deliberately hide this user. Further, using this backdoor account grants additional features on the remote-client, such as a facility to capture packets on the network interface which not even an administrator account can perform,” they explained in the advisory.

After they contacted AMX and shared their finding, the company shipped a fix for the backdoor after seven months. Unfortunately, as the researchers found, the fix removed the BlackWidow backdoor account and created another one named “1MB@tMaN,” with the exact same capabilities.

After failing to get in touch with the company again (to point out the “no-fix” fix), the researchers decided to go public with their discovery (but did not share the password for the backdoor account).

AMX did get in touch with the company on Wednesday, and informed them that they released firmware updates for the affected products. “Removed debugging account to prevent security vulnerability,” the notes accompanying the update say.

SEC Consult has yet to check the update to see that the issue is satisfactorily fixed.

In the meantime, the AMX spokesman had this to say by way of an explanation:

“First, ‘Black widow’ was an internal name for a legacy diagnostic and maintenance login for customer support of technical issues. Commonly used in legacy systems, it was not ‘hidden’ as suggested, nor did it provide access to customer information. While such a login is useful for diagnostics and maintenance, during our routine security review in the summer of 2015, we determined that it would be prudent to eliminate this feature as part of a comprehensive software update. We informed our customers and the update was deployed in December 2015.

‘1MB@tMaN’ was an entirely different internal feature that allowed internal system devices to communicate. It was not an external login nor was it accessible from outside of the product. The ‘1MB@tMaN’ internal system device capability also was not related to nor a replacement for the ‘Black Widow’ diagnostic login. The only connection was the fact that our software update that eliminated ‘Black Widow’ also provided an update to the ‘1MB@tMaN’ internal capability that eliminated this name.

In terms of the names, these were light hearted internal project names that our programmers used with no intended meaning. We take security very seriously and are continuously testing our own systems and capabilities and developing more sophisticated updates.”

“For AMX and users of it, I would consider this to be a very serious issue ­ similar to what happened with Juniper recently,” commented Jeremiah Grossman, Founder, WhiteHat Security.

“The question typically starts out as ‘was this on purpose or placed there by an adversary?’ If it was placed there by an adversary, there is little to no chance they would leave the backdoor in place. Which then points to the fact that it was almost certainly put there on purpose by AMX to surveil their users.”

“This almost certainly is an attempt to create a user level backdoor to bypass the typical authentication mechanism built into their products. I would assume it’s purpose is to give them unfettered access to the internal VOIP networks of their clients, and all associated devices on that network. Only AMX could confirm or deny this,” he noted.

“It is a strong indication they knowingly placed the backdoor in their product and were hoping that the team wouldn’t find that the backdoor was still in place. And if this is the case, AMX will need to explain the situation, and reasoning for the backdoor, in order to protect their customer security credibility. Furthermore, all networks that use this product should be considered compromised by AMX and anyone else who has access to the affected device in question.”