AMX, a provider of audio-visual conferencing gear used in sensitive government and military locations, has removed a “deliberate” backdoor in one of its central controller system products.
New firmware for the AMX NX-1200 was made available Thursday, removing an administrative account that was reachable remotely. AMX said in a description of the firmware update that it had removed a debugging account to “prevent a security vulnerability.”
Austrian consulting firm SEC Consult said it had a seven-month back-and-forth with AMX about the vulnerability before learning that the vendor’s first fix was to replace the backdoor was in place and changed the user name on the account from Marvel superhero Black Widow to DC star Batman—actually 1MB@tMan.
Yesterday, three months later, the latest update was made available.
SEC Consult published its findings yesterday, documenting that it had discovered a function in the AMX NX-1200 called setUpSubtleUserAccount. In an advisory, SEC Consult said that the function adds an administrative account to an internal user database and has access to a web interface via SSH. The account is deliberately hidden in a list of database users.
“AMX went ahead and implemented some additional tools like a packet-capture/sniffing facility, to aid the expert spy Black Widow in the fight against the super villain hackers,” SEC Consult wrote. “These tools are only available to our superhero as the power they hold should not be available to simple administrators.”
The firmware update applies not only to the NX-1200 but also to dozens of other products and systems that use the company’s NetLinx NX Control platform. It’s unknown whether the backdoor was present across the board; SEC Consult said it has not tested the firmware update.
AMX is a division of HARMAN International and its case studies website says that the company’s secure conferencing equipment is used in the White House, Joint Base Andrews where Air Force One is hangered, the Army’s Fort Leavenworth, the Naval War College, the U.S. Marine Corps Tactical Services Operations Center and many other critical government and military operations.