Backdoor Account Found On Devices Used By White House, US Military (sec-consult.com)

← Back to Stories (view on slashdot.org)

Backdoor Account Found On Devices Used By White House, US Military (sec-consult.com)

Posted by timothy on Thursday January 21, 2016 @06:13AM from the nothing-to-worry-about dept.

An anonymous reader writes: A hidden backdoor account was discovered embedded in the firmware of devices deployed at the White House and in various US Military strategic centers, more precisely in AMX conference room equipment. The first account was named Black Widow, and after security researchers reported its presence to AMX, the company's employees simply renamed it to Batman thinking nobody will notice. AMX did remove the backdoor after three months. In its firmware's official release notes, AMX claimed that the two accounts were only used for debugging, just like Fortinet claimed that its FortiOS SSH backdoor was used only internally by a management protocol.

17 of 166 comments (clear)

Min score:

Reason:

Sort:

Just What the Government Wants - Backdoors by BoRegardless · 2016-01-21 06:19 · Score: 5, Insightful

That way they can monitor EVERYTHING, everywhere, including subversives in the White House that might foil FBI, NSA & CIA operations.
1. Re: Just What the Government Wants - Backdoors by Anonymous Coward · 2016-01-21 06:41 · Score: 5, Funny
  
  Who monitors the monitors? Do the backdoors have little backdoors in them? Is it backdoors all the way down? Backdoorception?
2. Re: Just What the Government Wants - Backdoors by Locke2005 · 2016-01-21 08:08 · Score: 4, Funny
  
  There have been many, many movies about backdoors... you've just been visiting the wrong DVD store!
  
  --
  I've abandoned my search for truth; now I'm just looking for some useful delusions.
3. Re: Just What the Government Wants - Backdoors by DoofusOfDeath · 2016-01-21 08:46 · Score: 4, Insightful
  
  Is it backdoors all the way down?
  No, it would be backdoors all the way back.
  It's trapdoors all the way down.
Front door by awkScooby · 2016-01-21 06:20 · Score: 4, Funny

Nothing to see here. This was a "front door," not a "back door."
Distinctions by Bovius · 2016-01-21 06:22 · Score: 5, Insightful

"AMX claimed that the two accounts were only used for debugging,"

No, you only use them for debugging.

Even if we choose to trust that you're not using these accounts for nefarious purposes (which we shouldn't), that's not the point. The point is that they exist at all, and just because you created them doesn't mean someone else cannot use them.
1. Re:Distinctions by Anonymous Coward · 2016-01-21 06:27 · Score: 5, Insightful
  
  Locking a couple of executives up for endangering national security might be the single best thing anyone could do to prevent this type of thing in the future.
2. Re:Distinctions by MrTester · 2016-01-21 07:18 · Score: 3, Insightful
  
  Yeah, there is absolutely no value in pointing out our failures as a society. We should just accept life as it is and move on.
  White men with power will make certain that women and minorities will never get the vote!
  
  Drivel indeed.
3. Re:Distinctions by UnderCoverPenguin · 2016-01-21 08:28 · Score: 5, Informative
  
  I have friends in MI - and, I actually read the news.
  If you were paying attention, you would know that (a) Flint, MI is, and has been for several years, under the control of a series of emergency managers appointed by the current governor (now in his 6th year in office) of MI. And (b) the current and previous mayors of Flint attempted to raise the issue with those emergency managers and the state government, to no avail. Those mayors (and the city counsel) had no voice in the decisions that lead to the problem and were in fact among the people being lied to by the emergency managers and the state government.
  The emails you mention are to/from the emergency managers and the state government. The participation by the mayors was to raise the problem and ask for help.
  
  --
  Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
One might hope this illustrates danger of backdoor by DutchUncle · 2016-01-21 06:24 · Score: 5, Insightful

.... but somehow I doubt that the anti-encryption crowd will get the point. Instead they'll point out how they, as government, are a different category.
Governent and backdoors by Anonymous Coward · 2016-01-21 06:27 · Score: 3, Funny

I thought the government *wants* back doors in everything.
I'm confused now... Why would they have them removed?
Re:If they don't have anything to hide... by Anonymous Coward · 2016-01-21 06:30 · Score: 3, Informative

Nope, think of it like a Kwikset Smartkey deadbolt where you twist the faceplate, exposing a second lock cylinder.
This isn't a "debugging" tool.
I have personally seen "debug" access done properly:
1: The debug account is only accessible from a certain IP range.
2: The debug account is set to be inaccessible after a certain time.
3: The debug account uses a long passphrase.
4: The appliance website has an obvious note that the code is not for prime-time.
5: The debug account drops an entry into a log bucket.
6: When switching to a release build, the #ifdef macros ensure those accounts are never in the actual production software.
Basic common sense here. Any company can grok this, as it isn't any more complex than installing HID card readers on the office doors.
Re:Buried by lawsuits by ArchieBunker · 2016-01-21 06:35 · Score: 4, Insightful

The NSA probably "persuaded" them to install it. The NSA spied on congress and nothing happened. Nobody was fired or went to jail. Spying on the whitehouse isn't that far a stretch.

--
Only the State obtains its revenue by coercion. - Murray Rothbard
Re:One might hope this illustrates danger of backd by gstoddart · 2016-01-21 06:54 · Score: 3, Insightful

No, because the people advocating for backdoors still magically think only they can use the backdoors, and don't understand the reality that a backdoor is open to anybody who knows about it.
Don't ever expect those people to understand how their wishes diverge from reality.

--
Lost at C:>. Found at C.
New method of preserving secrecy needed.... by Sqreater · 2016-01-21 07:11 · Score: 4, Funny

We could call it, perhaps, "The Cone of Silence."

--
E Proelio Veritas.
Not Normally Connected by Jack+Kolesar · 2016-01-21 07:15 · Score: 5, Interesting

I'm an AMX programmer (and Crestron as well). I can tell you that A LOT of the time the A/V LAN is a completely separate system that isn't physically connected to the house network. But that is no excuse for leaving a backdoor. Of the two major competitors in commercial control (AMX and Crestron), AMX is usually considered the most secure. They put a high focus on security so that they can land these government jobs. Just to give you some background, Crestron controllers currently run embedded Windows and previously ran VxWorks. AMX controllers previously ran VxWorks and now run Embedded Linux. The AMX controllers have many levels of security including a DoD mode which shuts down most of the services (FTP, web, telnet and leaves SSH). Their proprietary communication between the panel and the controller (carried over port 1319 and registered) is also encrypted in secure mode (this generally carries button presses, text updates, levels, etc.). Sounds to me like the engineers didn't want to give up the backdoor account for service issues once it was discovered and likely didn't realize what a big mistake it was by the time it got passed down. I've met most of the people at AMX and they are very good guys and gals. It's an engineering driven company (not marketing driven). The Harman acquisition may change that to some extent but they are true geeks who I am sure realize they messed up. It's a small company (aside from the Harman parent) in a niche market. They will learn from this and move on.
1. Re:Not Normally Connected by PPH · 2016-01-21 07:39 · Score: 4, Insightful
  
  isn't physically connected to the house network.
  Stuxnet. Iranian centrifuges.
  
  --
  Have gnu, will travel.