Skip to main content
  1. Home
  2. Computing
  3. News

Backdoors found in AMX audio-visual equipment sold to government

Jon Martindale
By

government av equipment back doors amx harman solutions
Harman, owner of AMX, displays government-specific hardware solutions at Hilton Hawaiian Village Waikiki Beach Resort. Image used with permission by copyright holder
AMX, a company that produces audio and visual (AV) control systems designed for conferencing, has been accused of installing a deliberate backdoor in a number of its products, that makes it possible to set up an admin account that can sniff the local network, without prior privileges. Although it denies it, AMX appeared to update software in an attempt to obfuscate the flaw in its security, rather than fix it.

The flaw was originally picked up by Austrian digital security firm, SEC Consult, last year when it discovered the the AMX NX-1200 had a routine in place called “setUpSubtleUserAccount.” When that function was enabled it could set up an admin-level account with a hard-coded password, that let it capture data packets from the network the device was connected to.

Recommended Videos

Even more damning is the fact that this created account was also deliberately hidden from the plain-text list of administrative accounts.

Although it is suggested that most AMX hardware would require network connectivity to be able to login to the device, Ars did find some that are connected to the internet and are publicly accessible. That means that, in theory, someone could enable this feature; login remotely and sniff traffic on the network, compromise other accounts, and steal user data; or just listen in to the conferences as they are ongoing.

More worrying still, is that this sort of hardware is sold to many sensitive organizations. According to AMX’s own website, it’s sold AV systems to government, military, educational and healthcare organisations, theoretically creating huge security loopholes in very sensitive environments.

There is also growing evidence that none of this was an accident or created by a wayward employee at AMX. SEC Consult initially contacted AMX about the issue back in March 2015. No response was received for a full seven months, at which time an update was released which AMX claimed had fixed the security problem.

Further investigation revealed however, that although the original subtle admin account was gone, a new backdoor appeared with an almost identical function. When SEC Consult pointed this out to AMX and again received no response, it went public with its concerns.

A public statement has since been released by the AV equipment firm, stating that neither backdoor had anything to do with one another and were not intended for hacking purposes. Instead they were said to be useful diagnostics tools for maintenance, which it says are not accessible from exterior sources. It did however still decide to end support for the original backdoor in its update, so clearly it does see some potential for security issues.

Another update was recently released, however, which may well have shored up all of the backdoors. Or perhaps it will have just hidden them in a more difficult-to-spot manner.

Editors' Recommendations

Topics
Jon Martindale
Jon Martindale
Computing Coordinator
Jon Martindale is the Evergreen Coordinator for Computing, overseeing a team of writers addressing all the latest how to…
How to delete or hide chats in Microsoft Teams
Running Microsoft Teams on the Galaxy Tab S8.

Microsoft Teams is a terrific workplace platform for keeping the camaraderie strong. Featuring collaborative messaging, video conferencing, and file-sharing tools, it’s your one-stop-shop for in-office, hybrid and at-home workers alike. But anyone with a long history of using Teams will tell you how clogged up your message stockpile can get. Fortunately, deleting and hiding these exchanges is relatively easy to do, and we’ve put together this guide to help.

Read more
Why Llama 3 is changing everything in the world of AI
Meta AI on mobile and desktop web interface.

In the world of AI, you've no doubt heard about what OpenAI and Google have been up to. And now, Meta's Llama LLM (large language model) is becoming an increasingly important player in the game, especially with its open-source nature. Meta recently made a big splash with the launch of its Llama 3 AI model, and it's shaken up the field dramatically.

The reasons why are multiple and varied. It's free to use, it has a wide user base, and yes, it's open source, to name but a few. Here's why Llama 3 is taking the AI industry by storm and may shape its future for some time to come.
Llama 3 is really good
We can debate until the cows come home about how useful AIs like ChatGPT and Llama 3 are in the real world -- they're not bad at teaching you board game rules -- but the few benchmarks we have for how capable these AI are give Llama 3 a distinct advantage.

Read more
How to delete messages on your Mac
A MacBook and iPhone in shadow on a surface.

Apple likes to make things easy for its iPhone, iPad, and macOS devotees. When signed in with the same Apple ID on more than one of these devices, you’ll be able to sync your messages from one Apple product to the next. This means when you get a text on your iPhone, you’ll be able to pull it up through the Messages app on your Mac desktop.

Read more