AMX, a company that produces audio and visual (AV) control systems designed for conferencing, has been accused of installing a deliberate backdoor in a number of its products, that makes it possible to set up an admin account that can sniff the local network, without prior privileges. Although it denies it, AMX appeared to update software in an attempt to obfuscate the flaw in its security, rather than fix it.
The flaw was originally picked up by Austrian digital security firm, SEC Consult, last year when it discovered the the AMX NX-1200 had a routine in place called “setUpSubtleUserAccount.” When that function was enabled it could set up an admin-level account with a hard-coded password, that let it capture data packets from the network the device was connected to.
Even more damning is the fact that this created account was also deliberately hidden from the plain-text list of administrative accounts.
Although it is suggested that most AMX hardware would require network connectivity to be able to login to the device, Ars did find some that are connected to the internet and are publicly accessible. That means that, in theory, someone could enable this feature; login remotely and sniff traffic on the network, compromise other accounts, and steal user data; or just listen in to the conferences as they are ongoing.
More worrying still, is that this sort of hardware is sold to many sensitive organizations. According to AMX’s own website, it’s sold AV systems to government, military, educational and healthcare organisations, theoretically creating huge security loopholes in very sensitive environments.
There is also growing evidence that none of this was an accident or created by a wayward employee at AMX. SEC Consult initially contacted AMX about the issue back in March 2015. No response was received for a full seven months, at which time an update was released which AMX claimed had fixed the security problem.
Further investigation revealed however, that although the original subtle admin account was gone, a new backdoor appeared with an almost identical function. When SEC Consult pointed this out to AMX and again received no response, it went public with its concerns.
A public statement has since been released by the AV equipment firm, stating that neither backdoor had anything to do with one another and were not intended for hacking purposes. Instead they were said to be useful diagnostics tools for maintenance, which it says are not accessible from exterior sources. It did however still decide to end support for the original backdoor in its update, so clearly it does see some potential for security issues.
Another update was recently released, however, which may well have shored up all of the backdoors. Or perhaps it will have just hidden them in a more difficult-to-spot manner.
