AMX has commented that they are currently “working on the solution internally†to an apparent security breach, in a statement addressing comments in the media from a security consultant.
An SEC consultant had spoken publically to the press about a “deliberately” hidden backdoor account located in AMX by Harman Professional Devices that could have potentially been compromised by hackers.
Whilst analysing the authentication procedure of one of AMX's central controller systems, AMX NX-1200, the consultant claimed to have found a function that adds an administrative account with hardcoded credentials to an internal user database that can be used to access SSH and its web interface.
The news later hit the mainstream via news sources including CNN due to AMX’s high profile client base.
AMX has stated that they were “not aware of any breaches” to devices, which “did not face serious risks due to the issues identified.” They also added that they were already aware of, and working on a solution to the problem, after discovering it during a routine security review.
AMX released the following statement:
“A number of stories have run today about an independent security firm’s identification of certain potential security vulnerabilities in AMX systems. Unfortunately, these stories are confusing, and we would like to clarify a number of the issues that have been discussed.
First, we want to clarify the risks and terms being discussed. “Black widow” was an internal name for a legacy diagnostic and maintenance login for customer support of technical issues. Commonly used in legacy systems, it was not “hidden” as suggested, nor did it provide access to customer information. While such a login is useful for diagnostics and maintenance, during our routine security review in the summer of 2015, we determined that it would be prudent to eliminate this feature as part of a comprehensive software update. We informed our customers and the update was deployed in December 2015.
“1MB@tMaN” was an entirely different internal feature that allowed internal system devices to communicate. It was not an external login nor was it accessible from outside of the product. The “1MB@tMaN” internal system device capability also was not related to nor a replacement for the “Black Widow” diagnostic login. The only connection was the fact that our software update that eliminated “Black Widow” also provided an update to the “1MB@tMaN” internal capability that eliminated this name.
The firmware update, NX v1.4.65 is applicable to products and systems incorporating the NetLinx NX Control platform and was released on Dec 22, 2015. This issue has been addressed in legacy NI series by Hotfix v. 4.1.419 and is available from AMX Technical Support.
In terms of the names, these were light hearted internal project names that our programmers used with no intended meaning.
We take security very seriously and are continuously testing our own systems and capabilities and developing more sophisticated updates.”