Menu
Backdoor account replaced by another backdoor in vendor stumble

Backdoor account replaced by another backdoor in vendor stumble

The issue has been fixed but raises questions over how companies manage vulnerability reports

A company that makes video conferencing products replaced one serious security vulnerability with another, despite being warned of the dangers.

AMX Harman, which makes a variety of audio-visual and building control equipment, has patched the problem. But on Thursday SEC Consult, an information security firm in Vienna, revealed what it says is the back story.

Last March, SEC Consult warned AMX that it had found a secret account in certain versions of the NX-1200, an appliance for controlling audio-visual systems.

The hidden account used the username Black Widow, and SEC Consult said it found the password as well by studying the appliance's authentication procedures.

amx black widow account

The credentials can be used to gain broad access to the device, including the web-based management and command line interfaces. A hacker would also be able to capture packets, SEC Consult wrote.

The account appears to have been intentionally created, Johannes Greil, head of SEC Consult Vulnerability Lab, said via email.

"The backdoor is quite critical, because it seems to be deliberate and not some leftover from developers," he wrote. "The system tries to actively hide it from user management interfaces and the backdoor account even has more privileges than an admin account."

The finding by SEC Consult is worrying since AMX has a significant government business. In a photo on its website, it shows a photo of U.S. President Barack Obama with top advisors with the tag line "Room Automation."

amx obama


Although it was notified in March, AMX didn't provide a fix until October. When SEC Consult analyzed the fix, they noticed the "Black Widow" account had simply been changed to a new username.

According to a security brief from AMX, it removed what it called the "debugging account" to prevent a security vulnerability.

SEC Consult said it hasn't checked to see if the latest fix is effective. It did not release the passwords for either of the hidden accounts.

A more detailed advisory from SEC Consult says that backdoors affect many other products besides the NX-1200. AMX officials could not immediately reached for comment.

Now that the issue has ostensibly been resolved, SEC Consult wrote that its contact at AMX said the company "will be starting a major security initiative."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Meet the winners of the 2020 Reseller News Innovation Awards

Meet the winners of the 2020 Reseller News Innovation Awards

Reseller News honoured the standout players of the New Zealand channel in front of more than 500 technology leaders in Auckland on 21 October, recognising the achievements of top partners, start-ups, vendors, distributors and individuals.

Meet the winners of the 2020 Reseller News Innovation Awards
Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Show Comments