Backdoor Account Found on Devices Used by White House, US Military
[bold]A backdoor account was discovered embedded in the firmware of devices deployed at the White House and in various US Military strategic centers, more precisely in AMX conference room equipment.[/bold]
AMX, part of the HARMAN Professional Division, is a hardware and software manufacturer of conferencing equipment, with a long arm inside the government sector. Some of its products have been spotted at the White House during President Barack Obama’s meetings, inside the US Center for Strategic and International Studies (CSIS), and in various US military bases in Afghanistan.
According to security researchers from SEC Consult, older versions of the AMX NX-1200, a central controller for conference room equipment, came equipped with series of backdoors.
[bold]Black Widow and Batman were listening on President Obama’s conferences[/bold]
By analyzing NX-1200’s firmware, researchers discovered a function in its source code called “setUpSubtleUserAccount.”
As you’d probably guessed it, this function’s purpose was to set up a hidden user account which did not appear in the device’s configuration screen.
Looking deeper into how this hidden backdoor code worked, researchers discovered that AMX staff were creating a backdoor account under the BlackWidow username, a reference to one of Marvel’s superheroes.
[bold]Black Widow and Batman backdoors were “debugging accounts”[/bold]
Because anyone inspecting the device’s firmware could find this hidden account and its password, the presence of this backdoor put owners of an AMX NX-1200 device in danger of being hacked and spied on.
SEC Consult informed AMX of their findings, and the company removed the BlackWidow backdoor account by releasing a firmware update.
At a later inspection from SEC Consult’s researchers, to their surprise, the BlackWidow account wasn’t really removed but only replaced with one named “1MB@tMaN,” with the exact same capabilities.
After three long months during which SEC Consult peppered the AMX team with emails and reminders about the danger of leaving a backdoor hidden in their software, yesterday, on January 20, 2016, AMX finally released a new firmware update through which it said it removed this second hidden account as well.
In its firmware’s official release notes, AMX claimed that the two accounts were only used for debugging.
A similar incident happened to Fortinet when an unknown user discovered an SSH backdoor in Fortinet’s FortiOS. The company later explained the backdoor as unintentional, being only used to provide access to other Fortinet devices for the company’s FortiManager centralized management protocol.