Backdoors found in AMX audio-visual equipment sold to government

government av equipment back doors amx harman solutions
Harman, owner of AMX, displays government-specific hardware solutions at Hilton Hawaiian Village Waikiki Beach Resort.
AMX, a company that produces audio and visual (AV) control systems designed for conferencing, has been accused of installing a deliberate backdoor in a number of its products, that makes it possible to set up an admin account that can sniff the local network, without prior privileges. Although it denies it, AMX appeared to update software in an attempt to obfuscate the flaw in its security, rather than fix it.

The flaw was originally picked up by Austrian digital security firm, SEC Consult, last year when it discovered the the AMX NX-1200 had a routine in place called “setUpSubtleUserAccount.” When that function was enabled it could set up an admin-level account with a hard-coded password, that let it capture data packets from the network the device was connected to.

Even more damning is the fact that this created account was also deliberately hidden from the plain-text list of administrative accounts.

Although it is suggested that most AMX hardware would require network connectivity to be able to login to the device, Ars did find some that are connected to the internet and are publicly accessible. That means that, in theory, someone could enable this feature; login remotely and sniff traffic on the network, compromise other accounts, and steal user data; or just listen in to the conferences as they are ongoing.

More worrying still, is that this sort of hardware is sold to many sensitive organizations. According to AMX’s own website, it’s sold AV systems to government, military, educational and healthcare organisations, theoretically creating huge security loopholes in very sensitive environments.

There is also growing evidence that none of this was an accident or created by a wayward employee at AMX. SEC Consult initially contacted AMX about the issue back in March 2015. No response was received for a full seven months, at which time an update was released which AMX claimed had fixed the security problem.

Further investigation revealed however, that although the original subtle admin account was gone, a new backdoor appeared with an almost identical function. When SEC Consult pointed this out to AMX and again received no response, it went public with its concerns.

A public statement has since been released by the AV equipment firm, stating that neither backdoor had anything to do with one another and were not intended for hacking purposes. Instead they were said to be useful diagnostics tools for maintenance, which it says are not accessible from exterior sources. It did however still decide to end support for the original backdoor in its update, so clearly it does see some potential for security issues.

Another update was recently released, however, which may well have shored up all of the backdoors. Or perhaps it will have just hidden them in a more difficult-to-spot manner.

Deals

Best deals on home security cameras to save you from package thieves

Home security camera systems can help keep your home and your family safe. Amazon's deals on Blink security cameras and Ring Video Doorbells also help you save money on devices you can access regardless of your current location.
Smart Home

Ring Alarm vs. Nest Secure: Which one is right for you?

Thanks to the advance of technology, it's become really easy nowadays to secure your home and protect it from thieves, intruders, and unwanted guests. Which one of these two top contenders is right for you?
Computing

Worried about your online privacy? We tested the best VPN services

Browsing the web can be less secure than most users would hope. If that concerns you, a virtual private network — aka a VPN — is a decent solution. Check out a few of the best VPN services on the market.
Deals

Keep an eye on things with the Alexa-enabled Ring video doorbell, now only $93

Smart home devices like the Ring video doorbell make it easier to keep an eye on your castle right from your smartphone – no matter where you are. If you want to smarten up your home security, here's how you can grab a Ring doorbell on…
Computing

Here's our guide to how to charge your laptop using a USB-C cable

Charging via USB-C is a great way to power up your laptop. It only takes one cable and you can use the same one for data as well as power -- perfect for new devices with limited port options.
Computing

Apple MacBook Air vs. Microsoft Surface Pro 6

The MacBook Air was updated with more contemporary components and a more modern design, but is that enough to compete with standouts like Microsoft's Surface Pro 6 detachable tablet?
Computing

Microsoft’s Windows 10 updates have been a disaster despite safeguards

After a string of Windows 10 update issues, including severe data loss for a number of users, Microsoft's Corporate Vice President of Windows, Michael Fortin, has spoken out about quality control surrounding Windows development at…
Computing

Installing fonts in Windows 10 is quick and easy -- just follow these steps

Want to know how to install fonts in Windows 10? Here's our guide on two easy ways to get the job done, no matter how many you want to add to your existing catalog, plus instructions for deleting fonts.
Computing

Email take-backsies! Gmail's unsend feature is one of its best

Everyone has sent a message they wish they could take back. How great would it be if you could undo that impulsive email? If you're a Gmail user, you can. Here's how to recall an email in Gmail.
Computing

These laptop makers produce the most reliable, quality hardware today

If you want to buy your next laptop based around a specific brand, it helps to know which the best brands of laptops are. This list will give you a good grounding in the most reliable, quality laptop manufacturers today.
Computing

Here's why 64-bit (not 32-bit) dominates modern computing

Today's computing world isn't the same as it once was. With 64-bit processors and operating systems replacing the older 32-bit designs, we look at what 32-bit vs. 64-bit really means for you.
Computing

No more wild goose chase: ‘Duck.com’ now leads to DuckDuckGo instead of Google

DuckDuckGo recently acquired a shorter domain name from fellow search engine competitor Google. As a result, longtime and new DuckDuckGo users can now access the privacy-focused search engine by going to duck.com.
Computing

Samsung Notebook 9 Pen is back with new design, internals and S Pen

Samsung's new Notebook 9 Pen looks to be an ideal Windows 2-in-1 for creators. New features include a modern design, an updated S Pen in the box, and the latest eighth-generation Intel Core i7 processor.
Mobile

Want to watch Netflix in bed or browse the web? We have a tablet for everyone

There’s so much choice when shopping for a new tablet that it can be hard to pick the right one. From iPads to Android, these are our picks for the best tablets you can buy right now whatever your budget.