AVWeek Episode 230: Backdoor, Man
AMX has had a bad week for PR. An Ars Technica story said one of their products allowed back doors. We talk about security in AV. How does one get into the court and law AV? We also look at what we can learn from smart buildings.
Here is the AMX quote I read:
“First, we want to clarify the risks and terms being discussed. “Black widow” was an internal name for a legacy diagnostic and maintenance login for customer support of technical issues. Commonly used in legacy systems, it was not “hidden” as suggested, nor did it provide access to customer information. While such a login is useful for diagnostics and maintenance, during our routine security review in the summer of 2015, we determined that it would be prudent to eliminate this feature as part of a comprehensive software update. We informed our customers and the update was deployed in December 2015.
“1MB@tMaN” was an entirely different internal feature that allowed internal system devices to communicate. It was not an external login nor was it accessible from outside of the product. The “1MB@tMaN” internal system device capability also was not related to nor a replacement for the “Black Widow” diagnostic login. The only connection was the fact that our software update that eliminated “Black Widow” also provided an update to the “1MB@tMaN” internal capability that eliminated this name.
In terms of the names, these were light hearted internal project names that our programmers used with no intended meaning.
We take security very seriously and are continuously testing our own systems and capabilities and developing more sophisticated updates.”
UPDATE: We’ve had a number of AV security experts weigh in on this episode. Here are some of their concerns.
- The main article opens with mention of a backdoor vulnerability that Juniper had with a product that allowed for sniffing on the network by a snoop. This has no relation to what the AMX backdoor account does and the statement is used only to sensationalize the article and to fear monger. Juniper products are LAN/WAN products that are part of the infrastructure not endpoints. When a product is part of the infrastructure it determines the network’s security. These particular AMX products are endpoints and are in part protected by the network topology and security (i.e. physically or logically segmentation).
- At another point in the main article there is mention of the consulting firm not taking the research far enough to actually find out what the users of the backdoor accounts would actually be able to do once they exploited the vulnerability. Clearly the researchers have no clue what AMX control systems do and were completely unaware that the “hacker” would be limited to source switching and other such control sets. However, again for sensationalism at this point the writer choses to mention AMX case studies with military and the U.S. President. The writer takes it even further by bringing up a case that had to be dropped due to lack of evidence and the accusation having no substantiation with regard to spying.
- The writer mentions that SEC Consult determined that if the AMX devices were configured in such a way or mistakenly configured that an outside user could use a general search for AMX and can find these devices on the internet and then exploit the vulnerability. This would require the control panel to be placed on the internet. This is hardly ever the case.
Host: Tim Albright
Guests: George Tucker, Dawn Meade, Malissa Dillman
Record Date: 1/22/2016
Running Time: 33:18
Ars Technica AMX story
CNN Money AMX story
AMX official statement
Learning from smart buildings
Getting into legal/court AV