Late last week both Ars Technica and CNN Money posted stories about a hidden “backdoor” that AMX built in one of its products. Both articles referenced security consultant SEC Consult.
The stories imply that two unregistered user names could allow nefarious hackers to gain access to the system at large. CNN’s story went so far as to say that the security hole would allow someone to “secretly tap into corporate meetings” alongside a picture of the President in the War Room.
Here’s the problem with these assessments: no, it won’t. First off, we are talking about a Netlinx NX-1200. For those unfamiliar with AMX product names, that is a control processor. Meaning, it’s the central hub of a wider control system. Yes, if you were on the network and knew of the backdoor you could then control whatever that control processor was controlling, as long as you also had access to the code or you wrote your own.
This brings us to number two. You have to be on the network. Unless the Netlinx controller was available to the outside world, and as someone who has worked in government installations let me assure you they are not, then you’d have to gain access to the overall network. This places the security of the system in the hands of network admins, not a control processor.
More on Network Security: How to Protect Yourself and Your Clients
The differences between the two logins that can supposedly be used to hack the system, named Black Widow and 1MB@tman, are as different as night and day. As laid out in AMX’s official statement, Black Widow was used for legacy diagnostics while Batman was used for intersystem communications. The changes were made with a firmware update.
That’s my biggest problem with this story. The firmware update is great and all. I applaud AMX for putting it out there. However, getting firmware updates into a normal corporate client can be problematic. For the government, get ready for some serious red tape and a six month waiting list. It is not an easy fix.
The other issue is the light this shines on AMX, and the industry at large. It looks as if we either don’t know what we’re doing in regards to security or we simply don’t care.
We do have a ways to go as far as security in AV. There are best practices such as login and passwords on processors and displays that need to be put into place. But these devices we work with on a daily basis are not some ticking time bomb of security threats just waiting to happen.
As your clients begin to hear about the story, take the opportunity to educate them on the facts and begin a dialogue about their security concerns and your strategies to help them. It’s an unfortunate story but a good opportunity to demonstrate your value to your client base.
