CNN Money, in its report, went so far as to show a photo of President Obama sitting in a tense meeting with an ominous AMX device highlighted in red at the center of the conference table.
Today, AMX issued a statement to address the reports:
A number of stories have run today about an independent security firm’s identification of certain potential security vulnerabilities in AMX systems. Unfortunately, these stories are confusing, and we would like to clarify a number of the issues that have been discussed.
First, we want to clarify the risks and terms being discussed. “Black widow” was an internal name for a legacy diagnostic and maintenance login for customer support of technical issues. Commonly used in legacy systems, it was not “hidden” as suggested, nor did it provide access to customer information. While such a login is useful for diagnostics and maintenance, during our routine security review in the summer of 2015, we determined that it would be prudent to eliminate this feature as part of a comprehensive software update. We informed our customers and the update was deployed in December 2015.
“1MB@tMaN” was an entirely different internal feature that allowed internal system devices to communicate. It was not an external login nor was it accessible from outside of the product. The “1MB@tMaN” internal system device capability also was not related to nor a replacement for the “Black Widow” diagnostic login. The only connection was the fact that our software update that eliminated “Black Widow” also provided an update to the “1MB@tMaN” internal capability that eliminated this name.
The firmware update, NX v1.4.65 is applicable to products and systems incorporating the NetLinx NX Control platform and was released on Dec 22, 2015. It is available on AMX.com. More information on this release can be found athttp://www.amx.com/techcenter/NXSecurityBrief/Default.asp. This issue has been addressed in legacy NI series by Hotfix v. 4.1.419 and is available from AMX Technical Support.
In terms of the names, these were light hearted internal project names that our programmers used with no intended meaning.
We take security very seriously and are continuously testing our own systems and capabilities and developing more sophisticated updates.
Was there ever any potential significant threat?
There are multiple layers of security in these systems and we did not see serious risks due to the issues we identified. In addition, we are not aware of any breaches.
Did this consultant reveal the issue?
While we appreciate the interest of the security consultant that posted the story, AMX had already identified the issues through our routine security review and had been working on the solution internally.