Network Security: Bad News and Backdoors

Posted by / February 5, 2016

SecurityIf you’ve been paying attention to AV news lately, you’ve probably already heard about the AMX controversy. The Blogosphere and Twitterverse have been abuzz with the news. Just in case you haven’t heard, here’s a quick summary:

Information obtained from SEC Consult, a security consultation company based in Austria, revealed that a dangerous “backdoor” account had shipped with many AMX devices. According to SEC Consult, this vulnerability might allow a hacker to spy on activity within the target system. SEC Consult claims that they discovered this vulnerability, alerted AMX, and received a response seven months later that a firmware update had addressed the issue.

The crux of the security issue rests on a specific functionality built into an account named “BlackWidow”. This account was hard-coded with a default password and had security privileges that would allow it to setup additional user accounts with the same profile. According to SEC Consult, this vulnerability could be used to “packet sniff”.

Effectively, this account had the unusual ability to see all information passing through without appearing as an active user. SEC Consult claimed that this “hidden” function was shipped with more than two dozen models of AMX devices. These devices are used by many organizations—the most notable of which is the Executive branch of the United States government.

How the News was Spun

Our summary presents the story stripped to the bare bones, but the media coverage was not so objective. Reporters engaged in fear mongering, intentional or otherwise. The facts of the problem were never fully explained in the mainstream media, and AV industry thought leaders have been hard at work to correct the misinformation. We would like to un-spin this story from emotional manipulation as much as possible.

First, we want to be clear that we won’t attempt to play judge and jury about AMX’s response to SEC Consult. They claim they had been at work on this issue before SEC Consult had even contacted them. They’ve also made a security brief which you can read here.

AMX black widow back door

In summary, AMX says the BlackWidow account was not hidden, but instead was part of a legacy testing process once used for diagnostics. With best-practice network configuration, the account posed no significant threat of outside attack. Since the account was no longer necessary and—in an extreme worst-case scenario of an inside attack—might pose a security risk, AMX updated their devices as soon as possible to eliminate it.

So problem solved, right?

Not exactly.

Perhaps if the story had been framed differently in the media there would have been no story at all. But the media are adept at fear mongering, and the AMX story is one among many sensationalist media attempts at turning a molehill into a mountain.

Forbes’s version of events, which broke first (even before SEC Consult, it seems) was more sensationalized than some of the others. Note the exaggeration (“baffling”, “busted”) in the title alone. Leading with the infamous story of the Juniper backdoor, a story similar only in that it contains the words “government” and “backdoor” in the article, was misleading to say the least.

An optimist would say this coverage is merely a misunderstanding. A skeptical person might question the motive of the coverage further. Instead, we will simply clarify as best we can.

Don’t Worry, be Savvy

The “BlackWidow” backdoor could, in theory, have posed a threat. It could, in theory, have resulted in significant breaches.

Why then, did it not?

In order for a hacker to have taken advantage of this backdoor for nefarious purposes (whether in the White House, in your company, or elsewhere), they would have needed access to the AV network connected to the AMX devices. These AMX devices, unlike in the Juniper case, do not enable outsiders to eavesdrop on the local network.

There is no conceivable reason to connect these devices to the network in a way that they could be accessed from the outside.

Some reports indicated that a general search engine request for default AMX passwords could allow a hacker to access the devices remotely. Again, this is simply not the case. Regardless, no AV or IT team would condone the use of default administrative passwords for such devices.

So how could the devices have been a threat?

A threat would have arisen if, and only if, an inside hacker:

  • Knew about these backdoors in the first place
  • Obtained local access to the secured network that the devices were located on
  • Had extensive knowledge of this network, IP networking generally, the exact equipment used on the network, and the exact configuration

The odds of any government, corporation, or organization having an insider hacker with such knowledge and access, while technically possible, is far from likely. If a hacker was able to invade an organization to that level, there’s a much more serious organizational problem than anything a backdoor account used for diagnostic testing of an AV control device could ever pose.

This simple fact is what makes the story so frustrating to thought leaders in our industry. With best practices in place for device and network configuration, the AMX backdoor is almost a non-issue. We say “almost a non-issue” because if a hacker was able to scale all of the hurdles and was intimately familiar with all of the communications protocols and data packet formats, had knowledge that the BlackWidow account existed, and was inside the organization, there is the possibility that they could have used the account the eavesdrop.

We shouldn’t be dismissive of the problem. However, when the story is viewed in its proper context the threat is relatively small. No matter how small the problem may have been, AMX worked to eliminate the backdoor account soon after they were made aware of the problem.

Again, we won’t condemn or condone how AMX handled their correspondence with SEC Consult. We aren’t in the position to speculate on partial information, and it wouldn’t be our place even if that information was available.

That said, the mainstream media coverage has done the AV industry a disservice. This industry isn’t naïve about security concerns with networked AV. While security is a constant battle, on the whole we strive for excellence. We must continue to adapt as an industry to evolving security concerns.

AV integrators should also do their part to provide IT teams with as much useful information regarding security to mitigate risks whenever possible. It is impossible to eliminate all security threats with absolute certainty, but having knowledgeable and adaptable programmers in the AV and IT industries goes a long way towards that goal.

Practical Steps Towards Security

cyber securityNo company wants to be a sitting duck for eavesdroppers or malicious hackers. Here are a few key strategies IT teams can take to mitigate the risk of outside attack on an AV device:

  • Isolate AV control systems from the corporate network
  • Blacklist AV devices from Internet access
  • Request detailed information on AV system components
  • Consistently monitor AV devices on the network

Security should always be a priority for companies who rely on networked AV for mission-critical applications. The potential harm of an attack far outweighs the time and resources it takes to secure a network. There’s no magic bullet to security. To prevent cyber attacks, any networked AV system needs to be evaluated regularly.

At Synergy CT, we value our partnerships with our clients. As your experts in AV and IT technology, we would like to help ensure that your business is safe and secure. Our Technical Services team has performed Security Reviews for a number of our clients, helping the evaluate and identify vulnerabilities in their systems.

If you would like help evaluating the security of your AV solutions, please contact us to schedule your Security Review.

Categories: Security / Tags: , , , , , / Comments