Backdoor Account Found On Devices Used By White House, US Military

An anonymous reader writes: A hidden backdoor account was discovered embedded in the firmware of devices deployed at the White House and in various US Military strategic centers, more precisely in AMX conference room equipment. The first account was named Black Widow, and after security researchers reported its presence to AMX, the company's employees simply renamed it to Batman thinking nobody will notice. AMX did remove the backdoor after three months. In its firmware's official release notes, AMX claimed that the two accounts were only used for debugging, just like Fortinet claimed that its FortiOS SSH backdoor was used only internally by a management protocol.

Just What the Government Wants - Backdoors

[BoRegardless]

That way they can monitor EVERYTHING, everywhere, including subversives in the White House that might foil FBI, NSA & CIA operations.

Re: Just What the Government Wants - Backdoors

Who monitors the monitors? Do the backdoors have little backdoors in them? Is it backdoors all the way down? Backdoorception?

Re: Just What the Government Wants - Backdoors

[radiumsoup]

whoops, accidental downmod (meant to make 'funny') so posting reply to undo

Re: Just What the Government Wants - Backdoors

[Locke2005]

There have been many, many movies about backdoors... you've just been visiting the wrong DVD store!

Re: Just What the Government Wants - Backdoors

[DoofusOfDeath]

Is it backdoors all the way down?

No, it would be backdoors all the way back.

It's trapdoors all the way down.

Re:Just What the Government Wants - Backdoors

[nytes]

They're eating their own dog food.

I'd like to ask some of the presidential candidates what they think about backdoors now. There's another Republican debate coming up. This needs to be brought to the attention of the moderators along with any press that happens to be interviewing HRC and Sanders.

Front door

[awkScooby]

Nothing to see here. This was a "front door," not a "back door."

Distinctions

[Bovius]

"AMX claimed that the two accounts were only used for debugging,"

No, you only use them for debugging.

Even if we choose to trust that you're not using these accounts for nefarious purposes (which we shouldn't), that's not the point. The point is that they exist at all, and just because you created them doesn't mean someone else cannot use them.

Re:Distinctions

Locking a couple of executives up for endangering national security might be the single best thing anyone could do to prevent this type of thing in the future.

Re:Distinctions

[jones_supa]

Even if we choose to trust that you're not using these accounts for nefarious purposes (which we shouldn't), that's not the point. The point is that they exist at all, and just because you created them doesn't mean someone else cannot use them.

I was going to say the same. It possibly was not an intentional backdoor, but it can still be used as one. If it quacks like a duck and walks like a duck, it is a duck.

It is also quite facepalmy mistake. Some guy creates "Black Widow" and "Batman" accounts and this kind of stuff ends up to important government systems.

Re:Distinctions

No kidding! I was thinking the same thing in regards to the Flint Michigan disaster. This isn't a natural disaster by any means. Someone in the state government should be tossed in jail, for 30-life. 10 yrs isn't enough, they need 20-30 minimum just to contemplate the shit storm they have created and maybe, just maybe be humbled by their arrogance and total disregard for human life.

These are the very bad people in the world. They have hurt or killed many more people than the vast majority of POOR people who are locked up in jail.

Why is it this country rarely disciplines the really bad people? Sure you go on a killing spree you're going to jail, but if you're poor and commit some minor crime or if you're just the wrong color in the wrong neighborhood, or you're just uneducated and you spend an inordinate amount of time behind bars for "rehabilitation". When it's the top people at Goldman Sachs, the Governor of Michigan, and the execs at many other companies who have committed crimes against humanity and the world who are the truly bad, evil people.

Re:Distinctions

[MrTester]

Yeah, there is absolutely no value in pointing out our failures as a society. We should just accept life as it is and move on.
White men with power will make certain that women and minorities will never get the vote!

Drivel indeed.

Re:Distinctions

[UnderCoverPenguin]

I have friends in MI - and, I actually read the news.

If you were paying attention, you would know that (a) Flint, MI is, and has been for several years, under the control of a series of emergency managers appointed by the current governor (now in his 6th year in office) of MI. And (b) the current and previous mayors of Flint attempted to raise the issue with those emergency managers and the state government, to no avail. Those mayors (and the city counsel) had no voice in the decisions that lead to the problem and were in fact among the people being lied to by the emergency managers and the state government.

The emails you mention are to/from the emergency managers and the state government. The participation by the mayors was to raise the problem and ask for help.

Re:Distinctions

[sumdumass]

No one was intentionally poisoned though. The water was/is completely safe to drink at the time of processing. The poison came from the aging water distribution system that didn't handle the different ph levels well.

Wanton means deliberate. No one deliberately set out to endanger anyone or participated in any action without regard to human life or health. Again, the water is perfectly acceptable at the point of treatment. It after it runs the pipes where that changed.

You also need a point of law that allows consecutive sentences. Otherwise they run concurrent and you would run into constitutional problems if it was all the sudden changed. And that is if there isn't any exceptions to enforcement for public officials (government ) in the course of their duties.

Re:Distinctions

[UnderCoverPenguin]

In this case, it's emergency managers that were appointed under a law that was repealed by a voter referendum, then re-enacted by attaching it as an addendum to a "must pass" appropriations bill (which also makes it immune to referendum). Basically, the governor and treasurer, acting together, took Flint's elected officials power away.

One might hope this illustrates danger of backdoor

[DutchUncle]

.... but somehow I doubt that the anti-encryption crowd will get the point. Instead they'll point out how they, as government, are a different category.

Renamed it to Batman

[Jason+Levine]

Everyone knows that you should always be yourself. Unless you can be Batman, then be Batman.

*backdoor account access granted, Batman*

Documentation of the presidency will be available?

[Bruce66423]

Let's hope that someone has been recording the output for posterity; to hear the real story of a presidency for the first time since Nixon would be great...

Governent and backdoors

I thought the government *wants* back doors in everything.

I'm confused now... Why would they have them removed?

Re:If they don't have anything to hide...

Nope, think of it like a Kwikset Smartkey deadbolt where you twist the faceplate, exposing a second lock cylinder.

This isn't a "debugging" tool.

I have personally seen "debug" access done properly:

1: The debug account is only accessible from a certain IP range.
2: The debug account is set to be inaccessible after a certain time.
3: The debug account uses a long passphrase.
4: The appliance website has an obvious note that the code is not for prime-time.
5: The debug account drops an entry into a log bucket.
6: When switching to a release build, the #ifdef macros ensure those accounts are never in the actual production software.

Basic common sense here. Any company can grok this, as it isn't any more complex than installing HID card readers on the office doors.

Re:Buried by lawsuits

[ArchieBunker]

The NSA probably "persuaded" them to install it. The NSA spied on congress and nothing happened. Nobody was fired or went to jail. Spying on the whitehouse isn't that far a stretch.

Re:If they don't have anything to hide...

[FatdogHaiku]

Don't think of it as a back door. Think of it as a front door with really big locks.

I'd rather it had great knockers:
https://www.youtube.com/watch?v=XTw1lzxTAis

Re:One might hope this illustrates danger of backd

[gstoddart]

No, because the people advocating for backdoors still magically think only they can use the backdoors, and don't understand the reality that a backdoor is open to anybody who knows about it.

Don't ever expect those people to understand how their wishes diverge from reality.

New method of preserving secrecy needed....

[Sqreater]

We could call it, perhaps, "The Cone of Silence."

Not Normally Connected

[Jack+Kolesar]

I'm an AMX programmer (and Crestron as well). I can tell you that A LOT of the time the A/V LAN is a completely separate system that isn't physically connected to the house network. But that is no excuse for leaving a backdoor. Of the two major competitors in commercial control (AMX and Crestron), AMX is usually considered the most secure. They put a high focus on security so that they can land these government jobs. Just to give you some background, Crestron controllers currently run embedded Windows and previously ran VxWorks. AMX controllers previously ran VxWorks and now run Embedded Linux. The AMX controllers have many levels of security including a DoD mode which shuts down most of the services (FTP, web, telnet and leaves SSH). Their proprietary communication between the panel and the controller (carried over port 1319 and registered) is also encrypted in secure mode (this generally carries button presses, text updates, levels, etc.). Sounds to me like the engineers didn't want to give up the backdoor account for service issues once it was discovered and likely didn't realize what a big mistake it was by the time it got passed down. I've met most of the people at AMX and they are very good guys and gals. It's an engineering driven company (not marketing driven). The Harman acquisition may change that to some extent but they are true geeks who I am sure realize they messed up. It's a small company (aside from the Harman parent) in a niche market. They will learn from this and move on.

Re:Not Normally Connected

[PPH]

isn't physically connected to the house network.

Stuxnet. Iranian centrifuges.

Re:Not Normally Connected

[Jack+Kolesar]

Well, it doesn't make me happy. But I don't know why a customer wouldn't trust ME. I've now got to make sure that if we have these systems are connected to the network at installed facilities that they get a firmware update. That's part of service. With the initial release of the NX series processors, they discovered a 50 day lockup bug. That was corrected in firmware as well. We had to update those processors affected. That's just part of service. When your vehicle has a recall do you send it to the heap and never go back to the same dealer? Do you turn off updates on your computer and just switch operating systems when a security flaw is found? You've asked an ignorant question AC.

Right...

[Locke2005]

As a software engineer, you have debug builds and production builds, and as a general rule you don't ship builds to customers with the debug features enabled... unless you're beta testing. The White House probably wouldn't be my first choice for a beta test site!

Re:So?

[Locke2005]

Reciprocal transparency, that's all I ask for!

Why they called it "Batman"....

[jtara]

Nah nah nah nah nah nah nah nah,
nah nah nah nah nah nah nah nah!

That's why. They're basically flipping them the bird.

BAT-MAN!

Re:Hillary Clinton

[KGIII]

That's 'cause Bill's a Back Door Man.