Slashdot Mirror

← Back to Stories (view on slashdot.org)

Backdoor Account Found On Devices Used By White House, US Military (sec-consult.com)

Posted by timothy on from the nothing-to-worry-about dept.

An anonymous reader writes: A hidden backdoor account was discovered embedded in the firmware of devices deployed at the White House and in various US Military strategic centers, more precisely in AMX conference room equipment. The first account was named Black Widow, and after security researchers reported its presence to AMX, the company's employees simply renamed it to Batman thinking nobody will notice. AMX did remove the backdoor after three months. In its firmware's official release notes, AMX claimed that the two accounts were only used for debugging, just like Fortinet claimed that its FortiOS SSH backdoor was used only internally by a management protocol.

2 of 166 comments (clear)

  1. Re:If they don't have anything to hide... by Anonymous Coward · · Score: 3, Informative

    Nope, think of it like a Kwikset Smartkey deadbolt where you twist the faceplate, exposing a second lock cylinder.

    This isn't a "debugging" tool.

    I have personally seen "debug" access done properly:

    1: The debug account is only accessible from a certain IP range.
    2: The debug account is set to be inaccessible after a certain time.
    3: The debug account uses a long passphrase.
    4: The appliance website has an obvious note that the code is not for prime-time.
    5: The debug account drops an entry into a log bucket.
    6: When switching to a release build, the #ifdef macros ensure those accounts are never in the actual production software.

    Basic common sense here. Any company can grok this, as it isn't any more complex than installing HID card readers on the office doors.

  2. Re:Distinctions by UnderCoverPenguin · · Score: 5, Informative

    I have friends in MI - and, I actually read the news.

    If you were paying attention, you would know that (a) Flint, MI is, and has been for several years, under the control of a series of emergency managers appointed by the current governor (now in his 6th year in office) of MI. And (b) the current and previous mayors of Flint attempted to raise the issue with those emergency managers and the state government, to no avail. Those mayors (and the city counsel) had no voice in the decisions that lead to the problem and were in fact among the people being lied to by the emergency managers and the state government.

    The emails you mention are to/from the emergency managers and the state government. The participation by the mayors was to raise the problem and ask for help.

    --
    Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr