AMX, which supplies communications kit for the White House, US military, and several of the largest corporations, built a superhero-themed surveillance backdoor into its products.
It turns out this does exactly what it says – it sets up a hidden account with special abilities not even given to an administrator, such as packet-capture and sniffing, as well as access to the network interface. This powerful, all-seeing account can be accessed via the device's built-in web interface or via SSH using a hardcoded password.
That's a major issue, particularly because the US President has been seen using AMX equipment to talk to his military advisors. AMX's gear is also used to run conference calls for management teams to discuss sensitive information about their company, and used in lecturers in American universities.
It's possible the "subtle" account was include for debugging functions. In any case, if SEC Consult can find this backdoor, any one with skills in reverse-engineering can find it and exploit it.
Red marks the spot ... Potentially backdoored AMX gear being used by US President Obama (Source: SEC Consult)
It's obvious that whoever programmed the secret function is a bit of a superhero fan, since the hidden account was named Black Widow, aka Natalia "Natasha" Alianovna Romanova from the Marvel universe, who is played on screen by Scarlett Johansson.
In line with responsible disclosure, the SEC Consult researchers got in contact with AMX in early 2015, and told them about the issue. After seven months, the Dallas-based company updated its device firmware, but it left the subtle mode in place and just changed the username to access it.
AMX's engineers abandoned the Marvel universe and switched to DC Comics (boo-hiss), setting the username from Black Widow to 1MB@tMaN (I'm Batman). Sadly the caped crusader now gave full access to the surveillance capability built into the device.
Further examination by the SEC team found the software flaw wasn't just limited to the NX-1200 model, but to 30 other AMX products as well. AMX has now released another "fix" for its products' firmware. SEC is investigating to see if the God account is still there, or if AMX has really rid its equipment of the backdoor. The security researchers went public today with their findings to date.
AMC has not responded to requests for comment at time of publication. ®