This is a cautionary tale, and not just about security. It’s also about the game of internet telephone and the line where caveatemptor meets caveatlector. Buyers must beware of security and readers must also beware of consultants and mainstream tech journalists covering the AV industry. It is always important to understand the source. Start by reading the original blog post by SEC Consult for yourself. It is a strangely satirical take on something potentially serious for AMX and their many partners and stakeholders. Unfortunately, it doesn’t matter if any of this is accurate, sorta true, or a combination of good points and technical misunderstandings. The consumer tech press has now doubled down, riffing about stuff they don’t know a lot about (or how to spell Harman). Many of the stories amplified a key mischaracterization in SEC Consult’s security advisory. You can read that actual security advisory here.
Read the whole advisory. Note that authors didn’t understand that the Black Widow diagnostics login that was the source of the concern, wasn't actually replaced with 1MB@tMaN (Batman), which served an entirely different purpose. Also note that the authors did not research what one could practically do once inside the NX-1200 diagnostic profile. Their research stopped at the point of accessing the profile and determining its permission levels, then extrapolating. As a side point, some press has found it suspicious that the Black Widow profile does not display when a list of valid user names is enumerated—maybe that’s sinister, but it’s alternatively a pretty standard precaution for a diagnostics/maintenance account. Finally read the AMX response.
AMX did release changes last month that dropped the legacy Black Widow profile (and with it the ability to do remote maintenance/diagnostics). That update was part of a larger package of security enhancements announced at InfoComm 2015 (within the timeline that SEC Consult says they were communicating with AMX about the Black Widow profile). SEC Consult says they have not had time to confirm that the fix addresses their particular concerns. Regardless “deliberately hidden backdoor” hyperbole is not a helpful characterization. We do know that the convenience of remote diagnostics, maintenance, and admin is one puzzle to solve in terms of security, factoring devices, networks, and user compliance. We know there are problems in reconciling ease of use and security—and as an industry we must do better to modernize to IT security standards (which are themselves evolving). So the controversy serves a purpose, when kept in perspective. There were no reported breaches, indeed no audio, video, or user data was accessible even with the identified breach. But there was clearly an opportunity to improve security that AMX has taken and will take further, including through communication about best practices. One thing I will say—this incident has poked the bear that was sleeping right next to the elephant in the room. Security is serious business--part science and part emotion, and we’re going to have to deal with both.
Cynthia Wisehart is the editor of Sound and Video Contractor.
