Backdoor Locked for White House Devices

Tuesday, January 26, 2016 @ 04:01 PM gHale

A backdoor was in the firmware of devices deployed at the White House and in various U.S. military strategic centers.

The backdoor was in the AMX conference room equipment, part of the HARMAN Professional Division, that works very closely with the government sector. Some of its products are at the White House, inside the U.S. Center for Strategic and International Studies (CSIS), and in various U.S. military bases in Afghanistan. The company has now removed the backdoor.

Firewall Backdoors Still Not Patched
Backdoor Undetected, Until Now
Two Backdoors on Cable Modems
Possible Backdoor on Android Devices

It all started with older versions of the AMX NX-1200, a central controller for conference room equipment, came equipped with a series of backdoors, said researches at SEC Consult.

By analyzing NX-1200’s firmware, researchers discovered a function in its source code called “setUpSubtleUserAccount.”

As you’d probably guessed it, this function’s purpose was to set up a hidden user account which did not appear in the device’s configuration screen.

Looking deeper into how this hidden backdoor code worked, researchers discovered that AMX staff were creating a backdoor account under the BlackWidow username, a reference to one of Marvel’s superheroes.

Because anyone inspecting the device’s firmware could find this hidden account and its password, the presence of this backdoor put owners of an AMX NX-1200 device in danger of a hack attack.

SEC Consult informed AMX of their findings, and the company removed the BlackWidow backdoor account by releasing a firmware update.

At a later inspection from SEC Consult’s researchers, the BlackWidow account did not end up removed, but rather renamed “1MB@tMaN,” with the exact same capabilities.

After three months during which SEC Consult peppered the AMX team with emails and reminders about the danger of leaving a backdoor hidden in their software, on January 20, AMX finally released a firmware update through which it said it removed the second hidden account as well.

In its firmware’s official release notes, AMX said the two accounts were only for debugging purposes.