Adding Perspective to the AMX Backdoor Vulnerability - AvNetwork.com

Adding Perspective to the AMX Backdoor Vulnerability

Publish date:

This is a cautionary tale, and not just about security. It’s also about the game of internet telephone and the line where caveatemptor meets caveatlector. Buyers must beware of security and readers must also beware of consultants and mainstream tech journalists covering the AV industry. It is always important to understand the source. Start by reading the original blog post by SEC Consult for yourself. It is a strangely satirical take on something potentially serious for AMX and their many partners and stakeholders. Unfortunately, it doesn’t matter if any of this is accurate, sorta true, or a combination of good points and technical misunderstandings. The consumer tech press has now doubled down, riffing about stuff they don’t know a lot about (or how to spell Harman). Many of the stories amplified a key mischaracterization in SEC Consult’s security advisory. You can read that actual security advisory here.

Read the whole advisory. Note that authors didn’t understand that the Black Widow diagnostics login that was the source of the concern, wasn't actually replaced with 1MB@tMaN (Batman), which served an entirely different purpose. Also note that the authors did not research what one could practically do once inside the NX-1200 diagnostic profile. Their research stopped at the point of accessing the profile and determining its permission levels, then extrapolating. As a side point, some press has found it suspicious that the Black Widow profile does not display when a list of valid user names is enumerated—maybe that’s sinister, but it’s alternatively a pretty standard precaution for a diagnostics/maintenance account. Finally read the AMX response.

AMX did release changes last month that dropped the legacy Black Widow profile (and with it the ability to do remote maintenance/diagnostics). That update was part of a larger package of security enhancements announced at InfoComm 2015 (within the timeline that SEC Consult says they were communicating with AMX about the Black Widow profile). SEC Consult says they have not had time to confirm that the fix addresses their particular concerns. Regardless “deliberately hidden backdoor” hyperbole is not a helpful characterization. We do know that the convenience of remote diagnostics, maintenance, and admin is one puzzle to solve in terms of security, factoring devices, networks, and user compliance. We know there are problems in reconciling ease of use and security—and as an industry we must do better to modernize to IT security standards (which are themselves evolving). So the controversy serves a purpose, when kept in perspective. There were no reported breaches, indeed no audio, video, or user data was accessible even with the identified breach. But there was clearly an opportunity to improve security that AMX has taken and will take further, including through communication about best practices. One thing I will say—this incident has poked the bear that was sleeping right next to the elephant in the room. Security is serious business--part science and part emotion, and we’re going to have to deal with both.

Cynthia Wisehart is the editor of Sound and Video Contractor.


A Hands-On Perspective of Teaching MOOCs

Some higher-ed technology managers are skeptical about massive, open, online courses (MOOCs) as an opportunity to drive revenue and educate students. But for now, one thing is clear: Enough faculty are teaching MOOCs that tech managers need to support them.

AMX Added to Government Contracts

Richardson, Texas--AMX has been added to the Government Services Administration (GSA) IT Schedule 70 and NASA SEWP IV contract of systems integrator Blue Tech, of San Diego, CA.     With the addition of AMX to the GSA Information Technology (IT) Schedule 70 contract, local, state, and federal governments can now work

2017 in Review: An Industry Perspective promo image

2017 in Review: An Industry Perspective

2017 for the pro AV industry was certainly one of disruption, rather than evolution. Disruption can be unnerving, but it also can be exciting and the harbinger of positive and exciting things to come for those with vision. Let’s take a 10,000-foot view at some of the changes in 2017 that have accelerated far beyond what we think of as evolution.

Image placeholder title

Adding Variables

This is not your old high school auditorium where a lone onstage microphone sent out screeches and squeaks and no intelligible speech could be discerned in the far reaches of the back rows.

Image placeholder title

Rethinking the “Below the Line” Ad Spend

Retail according to Wikipedia: “the sale of goods and services from individuals or businesses to the end-user.” Shopping: “the act of buying products”. Go deeper and they list out the types of retailers by marketing strategy. Way, way down the list, just above vending machines, is Etailers. You’d think this was written 20 years ago—and it’s indicative to the struggle many retailers are facing today.