Backdoors found in AMX audio-visual equipment sold to government

government av equipment back doors amx harman solutions
Harman, owner of AMX, displays government-specific hardware solutions at Hilton Hawaiian Village Waikiki Beach Resort.
AMX, a company that produces audio and visual (AV) control systems designed for conferencing, has been accused of installing a deliberate backdoor in a number of its products, that makes it possible to set up an admin account that can sniff the local network, without prior privileges. Although it denies it, AMX appeared to update software in an attempt to obfuscate the flaw in its security, rather than fix it.

The flaw was originally picked up by Austrian digital security firm, SEC Consult, last year when it discovered the the AMX NX-1200 had a routine in place called “setUpSubtleUserAccount.” When that function was enabled it could set up an admin-level account with a hard-coded password, that let it capture data packets from the network the device was connected to.

Even more damning is the fact that this created account was also deliberately hidden from the plain-text list of administrative accounts.

Although it is suggested that most AMX hardware would require network connectivity to be able to login to the device, Ars did find some that are connected to the internet and are publicly accessible. That means that, in theory, someone could enable this feature; login remotely and sniff traffic on the network, compromise other accounts, and steal user data; or just listen in to the conferences as they are ongoing.

More worrying still, is that this sort of hardware is sold to many sensitive organizations. According to AMX’s own website, it’s sold AV systems to government, military, educational and healthcare organisations, theoretically creating huge security loopholes in very sensitive environments.

There is also growing evidence that none of this was an accident or created by a wayward employee at AMX. SEC Consult initially contacted AMX about the issue back in March 2015. No response was received for a full seven months, at which time an update was released which AMX claimed had fixed the security problem.

Further investigation revealed however, that although the original subtle admin account was gone, a new backdoor appeared with an almost identical function. When SEC Consult pointed this out to AMX and again received no response, it went public with its concerns.

A public statement has since been released by the AV equipment firm, stating that neither backdoor had anything to do with one another and were not intended for hacking purposes. Instead they were said to be useful diagnostics tools for maintenance, which it says are not accessible from exterior sources. It did however still decide to end support for the original backdoor in its update, so clearly it does see some potential for security issues.

Another update was recently released, however, which may well have shored up all of the backdoors. Or perhaps it will have just hidden them in a more difficult-to-spot manner.


Another vulnerability found in Dell’s security bloatware, users must update ASAP

A serious security vulnerability in Dell's SupportAssist software has been disclosed by cybersecurity firm SafeBreach. Dell swiftly released a patch, so if you have a Dell machine, you should update it straight away.

Need a laptop? Get a Lenovo Chromebook S330 at a hefty 60% discount on Amazon

Fast, simple, and secure, you can expect the Lenovo S330 to deliver a great day-to-day performance for your work or school needs. Order yours today on Amazon at a discounted price of $169.
Smart Home

Protect yourself with the best home security cameras of 2019

When it comes to the best home security cameras, the choice often comes down to the one that simply knows how to stay out of your way. Here are some of our favorites, both indoor and outdoor.
Smart Home

Hate messy wires? Check out the best wireless home security cameras

Home security cameras can give you piece of mind, but if they have wires, you are limited in where you can put them. We've rounded up the best battery-operated home security cameras to give you flexibility along with your security.

Powerful upgrades turn 4th-gen Raspberry Pi into a more capable $35 desktop

The Raspberry Pi 4 is the most powerful Raspberry Pi incarnation to date, making it an even more capable alternative to your desktop PC. Equipped with a more powerful processor, this desktop could be yours starting at $35.

The MacOS Catalina public beta is live. Here’s how to download it

Apple's latest MacOS update, known as Catalina, is finally available for developer preview, which means if you're willing to pay a little for the privilege, you can be one of the first to try it out.

Apple has a plan to save Mac gaming, but it’s not the one you want

The Mac isn’t known for being a game-friendly platform, but Apple hopes to change that in the coming months and years. The thing is, its plan may not be quite what you were hoping for if you’re a Mac gamer.

MacOS Catalina has arrived. Here are the 5 best features you can use right now

As of Monday, June 24, Apple has released the public beta of its newest MacOS, Catalina. Here are the five best features to expect from MacOS Catalina, including the trio of apps expected to replace iTunes.

Apple iPad with Wi-Fi and cellular gets $80 price cut on Amazon ahead of Prime Day

Apple iPads are getting a piece of the Amazon Prime Day action in the weeks leading up to July 15. Now on Amazon ahead of Prime Day, score your 32GB Apple iPad (Wi-Fi + cellular) for just $379, down from $459.

Amazon’s back-to-college store drops deals on refurbished items before Prime Day

Buying refurbished is a great way to save money, and Amazon has a ton of deals right now. While there's hundreds of Amazon refurbished items on the site, we've found 20 items that we think both college students and parents might be…

The Dell G5587 Nvidia GTX 1060 gaming laptop just dropped to $799 at Walmart

Gone are the days when you had to spend a grand or more to get a great gaming laptop. PC makers like Dell are cranking out some excellent and affordable machines today like the Dell G5587, which is on sale right now for just $799.

The Surface Centaurus might run Android apps, but is that a good idea?

A new leak hints that Microsoft's rumored Project Centaurus is a dual-screen device that will run Android apps. Is this what Microsoft needs to save its desperately-ignored Windows tablet mode?

Create apocalyptic A.I. world with this camera app that removes people from pics

What would the shots in your camera roll look like without any people? Bye Bye Camera is a new iOS app that uses artificial intelligence to remove all people from the photo., but it's not designed for practical applications.

A dual-screen device from Microsoft is in the works. Here's what we know so far

Would you be interested in a dual-screen Surface computer? The Surface Centaurus is a Microsoft project working on just that -- and Microsoft already has a prototype. Here's all the important information on Centaurus!