Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Government Bug Networking Security Hardware Politics

Backdoor Account Found On Devices Used By White House, US Military (sec-consult.com) 166

An anonymous reader writes: A hidden backdoor account was discovered embedded in the firmware of devices deployed at the White House and in various US Military strategic centers, more precisely in AMX conference room equipment. The first account was named Black Widow, and after security researchers reported its presence to AMX, the company's employees simply renamed it to Batman thinking nobody will notice. AMX did remove the backdoor after three months. In its firmware's official release notes, AMX claimed that the two accounts were only used for debugging, just like Fortinet claimed that its FortiOS SSH backdoor was used only internally by a management protocol.
This discussion has been archived. No new comments can be posted.

Backdoor Account Found On Devices Used By White House, US Military

Comments Filter:
  • by BoRegardless ( 721219 ) on Thursday January 21, 2016 @02:19PM (#51345101)

    That way they can monitor EVERYTHING, everywhere, including subversives in the White House that might foil FBI, NSA & CIA operations.

  • Front door (Score:5, Funny)

    by awkScooby ( 741257 ) on Thursday January 21, 2016 @02:20PM (#51345109)
    Nothing to see here. This was a "front door," not a "back door."
    • by ebvwfbw ( 864834 )

      Nothing to see here. This was a "front door," not a "back door."

      It's ok. We put a password on the account. We're not stupid, it's not Password. Ours is far more secure. It's qwerty. Just a bunch of random characters.

      Joke is probably on me, watch someone use that as an excuse sometime.

  • Distinctions (Score:5, Insightful)

    by Bovius ( 1243040 ) on Thursday January 21, 2016 @02:22PM (#51345123)
    "AMX claimed that the two accounts were only used for debugging,"

    No, you only use them for debugging.

    Even if we choose to trust that you're not using these accounts for nefarious purposes (which we shouldn't), that's not the point. The point is that they exist at all, and just because you created them doesn't mean someone else cannot use them.
    • Re:Distinctions (Score:5, Insightful)

      by Anonymous Coward on Thursday January 21, 2016 @02:27PM (#51345165)
      Locking a couple of executives up for endangering national security might be the single best thing anyone could do to prevent this type of thing in the future.
      • Locking a couple of executives up for endangering national security might be the single best thing anyone could do to prevent this type of thing in the future.

        Mod parent up!

      • by Anonymous Coward

        No kidding! I was thinking the same thing in regards to the Flint Michigan disaster. This isn't a natural disaster by any means. Someone in the state government should be tossed in jail, for 30-life. 10 yrs isn't enough, they need 20-30 minimum just to contemplate the shit storm they have created and maybe, just maybe be humbled by their arrogance and total disregard for human life.

        These are the very bad people in the world. They have hurt or killed many more people than the vast majority of POOR peopl

        • I was thinking the same thing in regards to the Flint Michigan disaster. This isn't a natural disaster by any means. Someone in the state government should be tossed in jail, for 30-life.

          (Speaking of "distinctions"...)

          Why should somebody in the STATE govenment be locked up? Isn't the Flint debacle solely the result of actions by, and solely the responsibility of the, CITY government?

          (Honest question here. I haven't been following it, and am curious as to why a city water screwup is being reported as the f

          • Re: (Score:2, Interesting)

            by Locke2005 ( 849178 )
            They have emails proving the mayor know about problems with the water a year ago, yet continued to insist that it was safe. That's criminal indifference in my book.
            • They have emails proving the mayor know about problems with the water a year ago, yet continued to insist that it was safe.

              Still sounds like CITY, not a STATE, problem so people at the CITY level should be prosecuted, not people at the STATE level.

            • Re:Distinctions (Score:5, Informative)

              by UnderCoverPenguin ( 1001627 ) on Thursday January 21, 2016 @04:28PM (#51346161)

              I have friends in MI - and, I actually read the news.

              If you were paying attention, you would know that (a) Flint, MI is, and has been for several years, under the control of a series of emergency managers appointed by the current governor (now in his 6th year in office) of MI. And (b) the current and previous mayors of Flint attempted to raise the issue with those emergency managers and the state government, to no avail. Those mayors (and the city counsel) had no voice in the decisions that lead to the problem and were in fact among the people being lied to by the emergency managers and the state government.

              The emails you mention are to/from the emergency managers and the state government. The participation by the mayors was to raise the problem and ask for help.

              • by amiga3D ( 567632 )

                Funny how the elected representatives of the city's citizens have no real power. I've never been a fan of city managers unless the mayor has the power to fire them.

                • In this case, it's emergency managers that were appointed under a law that was repealed by a voter referendum, then re-enacted by attaching it as an addendum to a "must pass" appropriations bill (which also makes it immune to referendum). Basically, the governor and treasurer, acting together, took Flint's elected officials power away.

                  • by amiga3D ( 567632 )

                    I think if I was a citizen of Michigan I'd be pretty pissed. It appears to me someone or several someones should be going to jail. It appears that the people of Flint were knowingly poisoned. If true that is so horrible that to fail to imprison those responsible would be a travesty.

                    • by raind ( 174356 )
                      Oh there's plenty of pissed off people in Michigan, I am pretty sure it's why Gov. Snyder (who sounds like Kermit the Frog) rarely shows up in Detroit much less Flint environs. For some decidedly real news views I would peruse:

                      http://motorcitymuckraker.com/

                      If I were Rick I would be a little paranoid that someone might you know - just blow him away.

                      In fact I am even more pissed that NO ONE will go to jail but they still collect when they pass go. Of course this goes for Wall Street, the Banksters, Cheney/Bus
          • Re: (Score:1, Insightful)

            by DarkOx ( 621550 )

            Why should somebody in the STATE govenment be locked up?

            Because the liberal biased media, Obama, and the Clinton campaign want to blame those nasty Republicans in the state house for poisoning Flint's poor black population. That is pretty much the reason. Yes the water pipe corrosion happened because the emergency manager a state official made decisions to use a chemically different water source, to save money. That person did this without understanding the potential consequences.

            Quite honestly this is clear argument for the IMPORTANCE of HOME RULE, when yo

        • Lying about a known danger for a rear is clearly a case of reckless endangerment, not sure if this should be a civil or criminal matter, but the mayor of Flint should definitely be spending a LOT of time in a court!
          • by HiThere ( 15173 )

            Not the mayor, the manager...who was appointed by the state governor, and ignored all warnings that this was endangering people.

            I believe that there is sufficient evidence that both the appointed manager and the state governor should be put in prison from wanton endangerment and inentional poisoning. I'm not quite sure what the legal terms for that are, since you probably couldn't prove any intent to harm, just a decision to do the not care about the harm.

        • Why does this country rarely discipline the really bad people? Watch _The Big Short_ and get back to me about that one...
        • Probably because it is easier to find an actual violation of the law with poor people. For instance, what law was violated in flint Michigan? What law would have been violated in the backdoor thing? I understand the premise of the issues but under what law could they be prosecuted?

          We don't want to start creating laws after the fact and trying to prosecute under them. Despite it being unconstitutional, it would surely come back to bite you and me or any one else they have issues with.

      • You must work for a pretty small company if you are used to executives being involved in programing. Heck, most probably have no idea what a backdoor account is.

      • Sounds like treason to me... that's usually good for some really long jail time!
        • by HiThere ( 15173 )

          Sorry, treason is rather specifically defined by the Constitution, and this doesn't fit the definition. I'm sure there are lots of other things that could fit it rather easily, though.

          • Having armed FBI agents backed up by a platoon of special forces visit the main office and interrogate the senior management would discourage repetition.
      • The only thing the government is interested in preventing is the backdoors being so blatantly obvious and not in their hands.
    • Even if we choose to trust that you're not using these accounts for nefarious purposes (which we shouldn't), that's not the point. The point is that they exist at all, and just because you created them doesn't mean someone else cannot use them.

      I was going to say the same. It possibly was not an intentional backdoor, but it can still be used as one. If it quacks like a duck and walks like a duck, it is a duck.

      It is also quite facepalmy mistake. Some guy creates "Black Widow" and "Batman" accounts and this kind of stuff ends up to important government systems.

    • It is a typo, Juan their marketing rep. meant to type de bugging.
    • by rtb61 ( 674572 )

      The better question is, well, if they were only used for debugging and you obviously were fully aware of their purpose and functionality, 'er', why the fuck were they not removed from production units. Why the hell would you need a debugging account in something you were never ever going to debug? The only sane logical answer, it was left in on purpose just because power trip by the morons at the top and billions to be made on insider trading. Hacks on top of hacks on top of hacks, insider trading feeding b

  • by DutchUncle ( 826473 ) on Thursday January 21, 2016 @02:24PM (#51345129)
    .... but somehow I doubt that the anti-encryption crowd will get the point. Instead they'll point out how they, as government, are a different category.
  • by Jason Levine ( 196982 ) on Thursday January 21, 2016 @02:24PM (#51345137)

    Everyone knows that you should always be yourself. Unless you can be Batman, then be Batman.

    *backdoor account access granted, Batman*

  • by Bruce66423 ( 1678196 ) on Thursday January 21, 2016 @02:26PM (#51345145)
    Let's hope that someone has been recording the output for posterity; to hear the real story of a presidency for the first time since Nixon would be great...
  • by Anonymous Coward on Thursday January 21, 2016 @02:27PM (#51345173)

    I thought the government *wants* back doors in everything.

    I'm confused now... Why would they have them removed?

  • It was my understanding that the US Government was in favor of putting security back-doors in everything? Are they just mad cuz it wasn't their backdoor?

  • Hopefully, AMX will be buried by thousands of incoming lawsuits for this childish behavior. The article never mentions what this backdoor would actually let someone with access to it do, but I'm assuming that the possibility existed for someone to use that backdoor to obtain classified or proprietary information. That they tried to hide the backdoor once it was discovered rather than immediately patching it out is just another piece of evidence usable by anyone wishing to sue them. I can foresee a large-sca

    • by ArchieBunker ( 132337 ) on Thursday January 21, 2016 @02:35PM (#51345233) Homepage

      The NSA probably "persuaded" them to install it. The NSA spied on congress and nothing happened. Nobody was fired or went to jail. Spying on the whitehouse isn't that far a stretch.

      • The NSA spies on everyone. They operate pretty much independently of the executive and legislative branches. Their leaders though technically serve the president they are often independent in the sense that the occupant tends to survive presidential replacement and their leadership comes from the military. For some reason the political leadership tends to view them as an extension of the military and thus "above politics".

        The fact that neither the legislature or president are bothered by the NSA spying on t

    • They'll probably be given government grants to try and do better next time.
  • Don't hook up critical resources where sensitive information is discussed to the internet! Or the phone, or any other network with clear-text external connections.

    • SIPRNET is on the Intertubes, not a separate set of tubes...

    • by AHuxley ( 892839 )
      The pretty colors and glow displayed to the leaders are worth billions in funding.
      Why did this happen?
      Look at the sales teams, sorry "advisory boards" that sell and watch over what the US needs, to use or buy or offer a no bid contract for decades of networks.
      The very few with any real counterintelligence, counterespionage or force protection analysis just seem to want to buy into the same systems they always used from the same teams they knew people in gov can to buy into... surrounded by many people wh
  • You go from Marvel to DC and expect that to save you?
    Should of gone something better maybe FatFreddy, CheechWizard or BettyVeronica.
  • Did the submitter even read the article?
    The new account was not named "Batman". It was named "1MB@tMaN".

  • The government should really make this stuff in house.
    • Good luck with that. These systems are a platform for a very niche industry. They are programmed by very niche programmers in this industry. As a programmer of AMX and Crestron and Extron, it's a small market even when you include the fact that these are used in schools, corporate campuses, and governement. If the government engineered their own, and make their own platform, they would still need to have a big enough market to attract programmers to learn and implement these things.
  • by Anonymous Coward

    In the photos from a conference room during the Bin Laden raid, you can clearly see some AMX equipment on the table. Scary to think that a backdoor was present in their conferencing system when a sensitive operation was taking place.

    Someone with backdoor access could have seriously fucked up the whole operation.

    • The most someone would have been able to do is "maybe" hang up a call or something. While this might have been an inconvenience, it's not like the people on the ground need the white house watching them to complete their mission. The higher ups that were watching live might have been upset only because they got disconnected on their ring-side seat to their "reality tv show".
  • by Sqreater ( 895148 ) on Thursday January 21, 2016 @03:11PM (#51345541)
    We could call it, perhaps, "The Cone of Silence."
    • Re: (Score:1, Funny)

      by Anonymous Coward

      We could call it, perhaps, "The Cone of Silence."

      What?

    • by AHuxley ( 892839 )
      A contractor could rediscover selling the US gov on handing out a limited number of one page executive summary papers and a build a walk in vault.
      Patent the ability to type page one of one for each person attending. Ensure only one copy is handed out to each person and then collected at the end of the meeting.
      Thats going to be one very expensive typewriter. Think of the contract for a new linotype machine :)
  • Enough said. Though I doubt this will convince anyone in politics that encryption backdoors are a bad idea, period.

  • by Jack Kolesar ( 532605 ) on Thursday January 21, 2016 @03:15PM (#51345565) Homepage
    I'm an AMX programmer (and Crestron as well). I can tell you that A LOT of the time the A/V LAN is a completely separate system that isn't physically connected to the house network. But that is no excuse for leaving a backdoor. Of the two major competitors in commercial control (AMX and Crestron), AMX is usually considered the most secure. They put a high focus on security so that they can land these government jobs. Just to give you some background, Crestron controllers currently run embedded Windows and previously ran VxWorks. AMX controllers previously ran VxWorks and now run Embedded Linux. The AMX controllers have many levels of security including a DoD mode which shuts down most of the services (FTP, web, telnet and leaves SSH). Their proprietary communication between the panel and the controller (carried over port 1319 and registered) is also encrypted in secure mode (this generally carries button presses, text updates, levels, etc.). Sounds to me like the engineers didn't want to give up the backdoor account for service issues once it was discovered and likely didn't realize what a big mistake it was by the time it got passed down. I've met most of the people at AMX and they are very good guys and gals. It's an engineering driven company (not marketing driven). The Harman acquisition may change that to some extent but they are true geeks who I am sure realize they messed up. It's a small company (aside from the Harman parent) in a niche market. They will learn from this and move on.
    • by PPH ( 736903 ) on Thursday January 21, 2016 @03:39PM (#51345749)

      isn't physically connected to the house network.

      Stuxnet. Iranian centrifuges.

    • by mtmra70 ( 964928 )

      I'm an AMX programmer (and Crestron as well). I can tell you that A LOT of the time the A/V LAN is a completely separate system that isn't physically connected to the house network.

      Maybe in government, somewhat in education (by VLAN only), pretty much never in corporate.

      • OK. I'll give that to you. It's a valid point. You certainly see much more use of Fusion and RMS (Managment Tools) in the Corporate environment. Again, I wasn't trying to defend the action as much as defend the company. I do like their products and the team. It's a security hole. I should have chosen a better title for my post.
    • Jack Kolesar: "I'm an AMX programmer (and Crestron as well). I can tell you that A LOT of the time the A/V LAN is a completely separate system that isn't physically connected to the house network. But that is no excuse for leaving a backdoor. ref [slashdot.org]

      They didn't just leave a backdoor, they wilfully inserted one under instruction of the US spying apparatus. I do know that people are going to be very reluctant to use the product in the future.
      • If they were "made" to put one in by , then that means that Crestron would have them too. Crestron has higher market share in all the same places AMX does as they are competitors.
    • I'm am also an AMX programmer (see my username), and I program Crestron as well (main competitor). While this is all new news to me as well, I can concur with the OP on several topics.

      Firstly: AMX doesn't make hardware dedicated to government use. It's used in in lots of places, schools, homes, businesses, churches, government facilities and the like. The headline makes it sound like it's a defense contractor that did this. No excuse here, though, as a backdoor on anyones network is not good, but it'
  • I'll bet it went something like this:

    Oh shit, someone managed to infiltrate us and install covert backdoor accounts in our products? What'll we do, the Government and Military will have a shit fit over this, we'll get all our contracts cancelled! We'll be ruined!

    Calm down Fred, I've got it handled: We'll just tell them "Oh, those are just for our internal debugging, LOL, nothing to worry about!

    ..Yeah, you're right, Steve, no need to spook them, not like they're smart enough to know better, right? Guess my Porche payment will be on time this month after all!

    • by PPH ( 736903 )

      Calm down Zhang, I've got it handled: We'll just tell them "Oh, those are just for our internal debugging, LOL, nothing to worry about!

      FTFY

  • "Wha, yeah!, c'mon, yeah, yeah, c'mon, yeah I'm a back door man, I'm a back door man The men don't know, but the little girl understand"
  • by Locke2005 ( 849178 ) on Thursday January 21, 2016 @03:57PM (#51345909)
    As a software engineer, you have debug builds and production builds, and as a general rule you don't ship builds to customers with the debug features enabled... unless you're beta testing. The White House probably wouldn't be my first choice for a beta test site!
  • Arrest the corporate officers in charge of AMX for treason and put them in jail for 20 years. Then watch how quickly the rules for shipping software with "debug features" enabled change...
  • I think no matter what political side your on. We should be appalled at Hillary Clinton's unprofessional use of a home server for her email. Now that we know some of that was highly classified material, it becomes a national security problem that is worse by far than what General Petraeus did. Maybe some are so relating to her as poor old grandma who did not know better, or some incredible addition to her that you would overlook her being a murderer if you had too. But this is a national security mess and i

  • Under the "Do unto others as you would have them do unto you." rule. The government does it, so....

  • by jtara ( 133429 ) on Thursday January 21, 2016 @05:31PM (#51346597)

    Nah nah nah nah nah nah nah nah,
    nah nah nah nah nah nah nah nah!

    That's why. They're basically flipping them the bird.

    BAT-MAN!

  • These kind of backdoors have been around for a very long time. Remember "AWARD_SW", or "AMIBIOS"? Those passwords have opened so many BIOSes back in the day. It was helpful, until everybody started circulating lists. The manufacturers changed default passwords, but took a while for them to give up on those passwords entirely.

    They help "lazy" operators and sysadmins, but they also help hackers as well.

  • Why does the US Government want these backdoors removed? I thought they loved backdoors and wanted them installed on EVERYTHING? I mean, only good guys can use the backdoors, right? So what's the big deal?

    this post has been brought to you by Sarcasm

A modem is a baudy house.

Working...