Slashdot Mirror
Backdoor Account Found On Devices Used By White House, US Military (sec-consult.com)
An anonymous reader writes: A hidden backdoor account was discovered embedded in the firmware of devices deployed at the White House and in various US Military strategic centers, more precisely in AMX conference room equipment. The first account was named Black Widow, and after security researchers reported its presence to AMX, the company's employees simply renamed it to Batman thinking nobody will notice. AMX did remove the backdoor after three months. In its firmware's official release notes, AMX claimed that the two accounts were only used for debugging, just like Fortinet claimed that its FortiOS SSH backdoor was used only internally by a management protocol.
That way they can monitor EVERYTHING, everywhere, including subversives in the White House that might foil FBI, NSA & CIA operations.
Nothing to see here. This was a "front door," not a "back door."
Don't think of it as a back door. Think of it as a front door with really big locks.
"AMX claimed that the two accounts were only used for debugging,"
No, you only use them for debugging.
Even if we choose to trust that you're not using these accounts for nefarious purposes (which we shouldn't), that's not the point. The point is that they exist at all, and just because you created them doesn't mean someone else cannot use them.
.... but somehow I doubt that the anti-encryption crowd will get the point. Instead they'll point out how they, as government, are a different category.
Everyone knows that you should always be yourself. Unless you can be Batman, then be Batman.
*backdoor account access granted, Batman*
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Let's hope that someone has been recording the output for posterity; to hear the real story of a presidency for the first time since Nixon would be great...
I thought the government *wants* back doors in everything.
I'm confused now... Why would they have them removed?
It was my understanding that the US Government was in favor of putting security back-doors in everything? Are they just mad cuz it wasn't their backdoor?
-- Disclaimer: I can't really back up anything I post on
Hopefully, AMX will be buried by thousands of incoming lawsuits for this childish behavior. The article never mentions what this backdoor would actually let someone with access to it do, but I'm assuming that the possibility existed for someone to use that backdoor to obtain classified or proprietary information. That they tried to hide the backdoor once it was discovered rather than immediately patching it out is just another piece of evidence usable by anyone wishing to sue them. I can foresee a large-scale data audit in AMX's near future as any business owning their software tries to determine whether any of their information was taken, on purpose or inadvertently.
I thought the government WANTED back doors built into tech. How can we monitor for any illegal activity without having back doors?
Don't hook up critical resources where sensitive information is discussed to the internet! Or the phone, or any other network with clear-text external connections.
You go from Marvel to DC and expect that to save you?
Should of gone something better maybe FatFreddy, CheechWizard or BettyVeronica.
Did the submitter even read the article?
The new account was not named "Batman". It was named "1MB@tMaN".
Exactly. Republucans want in breakable encryption to hide their crimes. We need escrow keys so that we can watch the corporations.
CONservatives always stand with corporations and encryption. Without reasonable, common sense limitations, the people can't monitor the corporations.
Sounds like your brain has an echo. An echo.
The government should really make this stuff in house.
Corporations love to be able to hide their crimes.
No, because the people advocating for backdoors still magically think only they can use the backdoors, and don't understand the reality that a backdoor is open to anybody who knows about it.
Don't ever expect those people to understand how their wishes diverge from reality.
Lost at C:>. Found at C.
In the photos from a conference room during the Bin Laden raid, you can clearly see some AMX equipment on the table. Scary to think that a backdoor was present in their conferencing system when a sensitive operation was taking place.
Someone with backdoor access could have seriously fucked up the whole operation.
> Do the backdoors have little backdoors in them?
A little door inside that back door? I suppose that would be a dog door.
But seriously, yes they do and that's the big concern. I've seen backdoors where the password was protected by unsalted MD5 hashing, which may have been reasonably secure when the code was written in 1996. Now, that can be cracked in less than 10 seconds, so I can access those backdoors. You could say the bad guys do indeed have a back door into the backdoor.
Backdoors are backdoors. Anyone can use them.
Government is not homogenous - agencies don't know what security assets other agencies have, multiple agencies fund black hat research / use the capabilities.
Ultimately, you have spying on democratically elected politicians by who knows who within random agencies. The worst individuals would use the power gained to rise to the top through blackmail. It would be far better to make sure all politicians use open systems than to allow backdoors in communications equipment.
> We would have stayed in Vietnam murdering people by the millions
Kid, Nixon got us out of Viet Nam. Maybe you're not old enough to remember Kennedy starting it and Johnson, both Democrats, escalating it and Nixon ending it.
Get with the program people, this is the 21st century, you are supposed to tell your customers about backdoor accounts. Hiding them is soooo 20th-century!
Is that you, Maxx HeadRoom?
We could call it, perhaps, "The Cone of Silence."
E Proelio Veritas.
Enough said. Though I doubt this will convince anyone in politics that encryption backdoors are a bad idea, period.
Higher Logics: where programming meets science.
I'm an AMX programmer (and Crestron as well). I can tell you that A LOT of the time the A/V LAN is a completely separate system that isn't physically connected to the house network. But that is no excuse for leaving a backdoor. Of the two major competitors in commercial control (AMX and Crestron), AMX is usually considered the most secure. They put a high focus on security so that they can land these government jobs. Just to give you some background, Crestron controllers currently run embedded Windows and previously ran VxWorks. AMX controllers previously ran VxWorks and now run Embedded Linux. The AMX controllers have many levels of security including a DoD mode which shuts down most of the services (FTP, web, telnet and leaves SSH). Their proprietary communication between the panel and the controller (carried over port 1319 and registered) is also encrypted in secure mode (this generally carries button presses, text updates, levels, etc.). Sounds to me like the engineers didn't want to give up the backdoor account for service issues once it was discovered and likely didn't realize what a big mistake it was by the time it got passed down. I've met most of the people at AMX and they are very good guys and gals. It's an engineering driven company (not marketing driven). The Harman acquisition may change that to some extent but they are true geeks who I am sure realize they messed up. It's a small company (aside from the Harman parent) in a niche market. They will learn from this and move on.
Oh shit, someone managed to infiltrate us and install covert backdoor accounts in our products? What'll we do, the Government and Military will have a shit fit over this, we'll get all our contracts cancelled! We'll be ruined!
Calm down Fred, I've got it handled: We'll just tell them "Oh, those are just for our internal debugging, LOL, nothing to worry about!
..Yeah, you're right, Steve, no need to spook them, not like they're smart enough to know better, right? Guess my Porche payment will be on time this month after all!
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Backdoorless encryption is bad, isn't it?
Isn't this what they wanted?
Since the White House and the military want backdoors in all devices, what's the problem?
Backdoors by Mossad? Probably.
"Wha, yeah!, c'mon, yeah, yeah, c'mon, yeah I'm a back door man, I'm a back door man The men don't know, but the little girl understand"
As a software engineer, you have debug builds and production builds, and as a general rule you don't ship builds to customers with the debug features enabled... unless you're beta testing. The White House probably wouldn't be my first choice for a beta test site!
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Actually, Eisenhower got us into Vietnam, although Kennedy and Johnson escalated it. Nixon does wrongly take most of the flack for Vietnam, although he _eventually_ ended the war, but not before tens of thousands more died.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
All animals are equal but some are more equal than others.
You can't handle the truth.
Arrest the corporate officers in charge of AMX for treason and put them in jail for 20 years. Then watch how quickly the rules for shipping software with "debug features" enabled change...
I've abandoned my search for truth; now I'm just looking for some useful delusions.
I think no matter what political side your on. We should be appalled at Hillary Clinton's unprofessional use of a home server for her email. Now that we know some of that was highly classified material, it becomes a national security problem that is worse by far than what General Petraeus did. Maybe some are so relating to her as poor old grandma who did not know better, or some incredible addition to her that you would overlook her being a murderer if you had too. But this is a national security mess and it happens because of the idiots straight down from the top who are totally incompetent about security. The politicians probably will never admit it, but we have probably lost a lot of sensitive information and they are trying their best not to let the people know it. Hillary, absolutely does not have a clue, and should have never been Secretary of State and should not be president of a PTA let alone President of the USA. Hillary, go home and be a grandma and save us all a lot of grief.
...is all for those backdoors. She openly says so.
AMX just complies with the wishes of the democratic party.
Noooo thay can hack ligth controller
DOOMED !!!
were are so fucking DOOMED
To some extent you are correct.
But overdoing this leads to 1929. And 1929 will bring Marine Corps Corporal John F. H. who will clean up the mess.
You want that ? Then vote for folks like Hillary, who is in the pocket of banksters.
Let's blame it on some low level programmer, "who did this backdooring entirely on his own".
Under the "Do unto others as you would have them do unto you." rule. The government does it, so....
"operates over separate DIN ATM infrastructure"
You actually think this will stop a determined adversary ?
Maybe you look up what this former NSA technical director says about "networked computers".
Also, how many backdoors have they put into Cisco and Juniper devices (which are probably core elements of Siprnet) ?
Here is the protip: Make your own CPU, your own memory, your own compiler, your own OS if you want security.
Or build a copy of SIGABA.
Why should they not eat their own medicine ?
After all they (Clinton, Fiorina and more muppeteers) claim they must be able to listen to 100% of all computer users if they so chose.
Why should anyone believe you ?
All we know YOU ARE LIARS.
Your Karma is burned. Close down company.
Sure as hell they could be had as Supporters of Espionage or something similar. That is below treason, but still carries hefty jail time.
But you know what ? NOTHING will be the consequence. Government is a bunch of corrupt people. How else could they do the Iraq war ?
She is just Consistent. Didn't you hear she wants to backdoor all devices.
She just displayed Exemplar Behaviour by granting the Russkies and the Chinese a backdoor.
Which is kind of understandable, given the criminal actions of U.S.G. during the last 20 years. Every government should have backdoors into U.S. systems for the purpose of early warning of criminal acts.
Nah nah nah nah nah nah nah nah,
nah nah nah nah nah nah nah nah!
That's why. They're basically flipping them the bird.
BAT-MAN!
but whom can say what THEY used it for! Muhahahaha!!
If I recall correctly, you come from a ex-Soviet Bloc country. Was that book available, read in school, digested, or?
"So long and thanks for all the fish."
nope, you are right. 99% of the time a/v is isolated or completely unconnected. usually just on its own switch in the rack. Out of 1000s of systems I've seen. a/v passwords are usually admin/password too so no big deal here.
my god, I mean someone could actually turn off their projectors during a presentation. the humanity.
with a whole bunch of people who have no clue about A/V equipment.
amx vs fortinet, lulz. this is like cisco vs roku back-doors. one matters, the other not so much.
Jack Kolesar: "I'm an AMX programmer (and Crestron as well). I can tell you that A LOT of the time the A/V LAN is a completely separate system that isn't physically connected to the house network. But that is no excuse for leaving a backdoor. ref
They didn't just leave a backdoor, they wilfully inserted one under instruction of the US spying apparatus. I do know that people are going to be very reluctant to use the product in the future.
The U.S. government has become a deeply corrupt, hidden dictatorship, and people are joking!
A few of the many stories about backdoors in U.S. hardware (Copied from another comment.):
D-Link: Reverse Engineering a D-Link Backdoor (Oct. 12, 2013)
Arris: 600,000 Arris cable modems have 'backdoors in backdoors', researcher claims (Nov. 20, 2015)
Juniper Networks: Juniper drops NSA-developed code following new backdoor revelations (Jan. 10, 2016)
Cisco: Snowden: The NSA planted backdoors in Cisco products (May 15, 2014)
Netgear: Netgear Patch Said to Leave Backdoor Problem in Router (April 23, 2014)
Windows 8: NSA Backdoor Exploit in Windows 8 Uncovered (Aug. 22, 2013)
Windows: NSA "backdoor" mandates lead to a computer-security FREAK show Quote: "Microsoft Windows OS vulnerable to hackers, thanks to National Security Agency requirements." (March 6, 2015)
Windows: NSA Built Back Door In All Windows Software by 1999 (June 7, 2013)
Hard drives: Breaking: Kaspersky Exposes NSA's Worldwide, Backdoor Hacking of Virtually All Hard-Drive Firmware (Feb. 17, 2015)
Is every backdoor the work of the NSA? There is no way of knowing.
Not before 1991. Worse than that, books censored just like everything else, many books and other materials were simply illegal to own.
You can't handle the truth.
These kind of backdoors have been around for a very long time. Remember "AWARD_SW", or "AMIBIOS"? Those passwords have opened so many BIOSes back in the day. It was helpful, until everybody started circulating lists. The manufacturers changed default passwords, but took a while for them to give up on those passwords entirely.
They help "lazy" operators and sysadmins, but they also help hackers as well.
Thank you for sharing. I have one further question, if you don't mind. What might the penalty be, say for someone who's traditionally a bit of a trouble maker but not a violent criminal nor trying to overthrow the country, to own a copy of The Animal Farm? Maybe a couple of questions - what might the penalty have been for distributing that work? Perhaps on a larger scale?
Sorry for my naive questions but I'm truly curious and I appreciate your knowledge, candor, and general ability to fill in details that one may have forgotten to ask. If, perhaps, you do not wish to be open about this then email is available. The email listed with this account is valid and checked on a regular bases. The concept of a book being prohibited isn't so foreign that I can't understand it but it is foreign enough that there are aspects that make me curious.
One example would be, would the book have been available (without being too specific, in order to protect yourself - if required) to those who wanted to read it bad enough? Were there clandestine printing presses? Black market shops? Underground lending libraries?
I know that some old Soviet Bloc countries had people who would literally fashion the computers out of not just parts but often out of handmade parts. I think that, at least by itself, is awesome.
Again, thank you for sharing. Your insight is valued and I truly appreciate any effort you make at helping me understand better. In my country, the United States of America or Canada (I'm a citizen of both countries) there are classified documents but if, for some reason, they ended up leaked then we'd certainly be free to publish them, read them, loan them, sell them, gift them, and do things like mark them up for context and greater understanding. Seriously, thanks for explaining. I, for one, truly appreciate it.
"So long and thanks for all the fish."
It was part of the curriculum back in the mid-70's here. (BC)
https://en.wikipedia.org/wiki/Inverted_totalitarianism
Why does the US Government want these backdoors removed? I thought they loved backdoors and wanted them installed on EVERYTHING? I mean, only good guys can use the backdoors, right? So what's the big deal?
this post has been brought to you by Sarcasm