Backdoor Account Found On Devices Used By White House, US Military

An anonymous reader writes: A hidden backdoor account was discovered embedded in the firmware of devices deployed at the White House and in various US Military strategic centers, more precisely in AMX conference room equipment. The first account was named Black Widow, and after security researchers reported its presence to AMX, the company's employees simply renamed it to Batman thinking nobody will notice. AMX did remove the backdoor after three months. In its firmware's official release notes, AMX claimed that the two accounts were only used for debugging, just like Fortinet claimed that its FortiOS SSH backdoor was used only internally by a management protocol.

Just What the Government Wants - Backdoors

[BoRegardless]

That way they can monitor EVERYTHING, everywhere, including subversives in the White House that might foil FBI, NSA & CIA operations.

Re: Just What the Government Wants - Backdoors

[Anonymous Coward]

Who monitors the monitors? Do the backdoors have little backdoors in them? Is it backdoors all the way down? Backdoorception?

Re:

[radiumsoup]

whoops, accidental downmod (meant to make 'funny') so posting reply to undo

Dog door in the back door. Seriously MD5 backdoor

[raymorris]

> Do the backdoors have little backdoors in them?

A little door inside that back door? I suppose that would be a dog door.

But seriously, yes they do and that's the big concern. I've seen backdoors where the password was protected by unsalted MD5 hashing, which may have been reasonably secure when the code was written in 1996. Now, that can be cracked in less than 10 seconds, so I can access those backdoors. You could say the bad guys do indeed have a back door into the backdoor.

Re:

[dreamchaser]

I thought it was turtles all the way down...

Re: Just What the Government Wants - Backdoors

[DoofusOfDeath]

Is it backdoors all the way down?

No, it would be backdoors all the way back.

It's trapdoors all the way down.

Re:

[AndyKron]

Reminds me of user made Duke Nukem maps

Re: Just What the Government Wants - Backdoors

[Locke2005]

There have been many, many movies about backdoors... you've just been visiting the wrong DVD store!

Re: Just What the Government Wants - Backdoors

[tha_toadman]

+1 to you if I had the points.

Re:

[nytes]

They're eating their own dog food.

I'd like to ask some of the presidential candidates what they think about backdoors now. There's another Republican debate coming up. This needs to be brought to the attention of the moderators along with any press that happens to be interviewing HRC and Sanders.

Front door

[awkScooby]

Nothing to see here. This was a "front door," not a "back door."

Re:

[ebvwfbw]

Nothing to see here. This was a "front door," not a "back door."

It's ok. We put a password on the account. We're not stupid, it's not Password. Ours is far more secure. It's qwerty. Just a bunch of random characters.

Joke is probably on me, watch someone use that as an excuse sometime.

Distinctions

[Bovius]

"AMX claimed that the two accounts were only used for debugging,"

No, you only use them for debugging.

Even if we choose to trust that you're not using these accounts for nefarious purposes (which we shouldn't), that's not the point. The point is that they exist at all, and just because you created them doesn't mean someone else cannot use them.

Re:Distinctions

[Anonymous Coward]

Locking a couple of executives up for endangering national security might be the single best thing anyone could do to prevent this type of thing in the future.

Re:

[jenningsthecat]

Locking a couple of executives up for endangering national security might be the single best thing anyone could do to prevent this type of thing in the future.

Mod parent up!

Re:

[Anonymous Coward]

No kidding! I was thinking the same thing in regards to the Flint Michigan disaster. This isn't a natural disaster by any means. Someone in the state government should be tossed in jail, for 30-life. 10 yrs isn't enough, they need 20-30 minimum just to contemplate the shit storm they have created and maybe, just maybe be humbled by their arrogance and total disregard for human life.

These are the very bad people in the world. They have hurt or killed many more people than the vast majority of POOR peopl

Re:

[Ungrounded Lightning]

I was thinking the same thing in regards to the Flint Michigan disaster. This isn't a natural disaster by any means. Someone in the state government should be tossed in jail, for 30-life.

(Speaking of "distinctions"...)

Why should somebody in the STATE govenment be locked up? Isn't the Flint debacle solely the result of actions by, and solely the responsibility of the, CITY government?

(Honest question here. I haven't been following it, and am curious as to why a city water screwup is being reported as the f

Re:

[Locke2005]

They have emails proving the mayor know about problems with the water a year ago, yet continued to insist that it was safe. That's criminal indifference in my book.

Re:

[Bob the Super Hamste]

They have emails proving the mayor know about problems with the water a year ago, yet continued to insist that it was safe.

Still sounds like CITY, not a STATE, problem so people at the CITY level should be prosecuted, not people at the STATE level.

Re:Distinctions

[UnderCoverPenguin]

I have friends in MI - and, I actually read the news.

If you were paying attention, you would know that (a) Flint, MI is, and has been for several years, under the control of a series of emergency managers appointed by the current governor (now in his 6th year in office) of MI. And (b) the current and previous mayors of Flint attempted to raise the issue with those emergency managers and the state government, to no avail. Those mayors (and the city counsel) had no voice in the decisions that lead to the problem and were in fact among the people being lied to by the emergency managers and the state government.

The emails you mention are to/from the emergency managers and the state government. The participation by the mayors was to raise the problem and ask for help.

Re:

[amiga3D]

Funny how the elected representatives of the city's citizens have no real power. I've never been a fan of city managers unless the mayor has the power to fire them.

Re:

[UnderCoverPenguin]

In this case, it's emergency managers that were appointed under a law that was repealed by a voter referendum, then re-enacted by attaching it as an addendum to a "must pass" appropriations bill (which also makes it immune to referendum). Basically, the governor and treasurer, acting together, took Flint's elected officials power away.

Re:

[amiga3D]

I think if I was a citizen of Michigan I'd be pretty pissed. It appears to me someone or several someones should be going to jail. It appears that the people of Flint were knowingly poisoned. If true that is so horrible that to fail to imprison those responsible would be a travesty.

Re:

[raind]

Oh there's plenty of pissed off people in Michigan, I am pretty sure it's why Gov. Snyder (who sounds like Kermit the Frog) rarely shows up in Detroit much less Flint environs. For some decidedly real news views I would peruse:

http://motorcitymuckraker.com/

If I were Rick I would be a little paranoid that someone might you know - just blow him away.

In fact I am even more pissed that NO ONE will go to jail but they still collect when they pass go. Of course this goes for Wall Street, the Banksters, Cheney/Bus

Re:

[DarkOx]

Why should somebody in the STATE govenment be locked up?

Because the liberal biased media, Obama, and the Clinton campaign want to blame those nasty Republicans in the state house for poisoning Flint's poor black population. That is pretty much the reason. Yes the water pipe corrosion happened because the emergency manager a state official made decisions to use a chemically different water source, to save money. That person did this without understanding the potential consequences.

Quite honestly this is clear argument for the IMPORTANCE of HOME RULE, when yo

Re:

[Locke2005]

Lying about a known danger for a rear is clearly a case of reckless endangerment, not sure if this should be a civil or criminal matter, but the mayor of Flint should definitely be spending a LOT of time in a court!

Re:

[HiThere]

Not the mayor, the manager...who was appointed by the state governor, and ignored all warnings that this was endangering people.

I believe that there is sufficient evidence that both the appointed manager and the state governor should be put in prison from wanton endangerment and inentional poisoning. I'm not quite sure what the legal terms for that are, since you probably couldn't prove any intent to harm, just a decision to do the not care about the harm.

Re:

[Locke2005]

Why does this country rarely discipline the really bad people? Watch _The Big Short_ and get back to me about that one...

Re:

[sumdumass]

Probably because it is easier to find an actual violation of the law with poor people. For instance, what law was violated in flint Michigan? What law would have been violated in the backdoor thing? I understand the premise of the issues but under what law could they be prosecuted?

We don't want to start creating laws after the fact and trying to prosecute under them. Despite it being unconstitutional, it would surely come back to bite you and me or any one else they have issues with.

Re:

[HiThere]

You can't show malice, but you can show indifference. And I believe it's a crime to intentionally poison people even if it doesn't kill them. (Of course, I could be wrong.)

I'd say wanton endangerment is certainly applicable, and I'm not sure that assault wouldn't apply. But possibly 100,000 (or whatever the number is) of cases of wanton endangerment with the sentences applied consecutively would suffice.

Re:

[sumdumass]

No one was intentionally poisoned though. The water was/is completely safe to drink at the time of processing. The poison came from the aging water distribution system that didn't handle the different ph levels well.

Wanton means deliberate. No one deliberately set out to endanger anyone or participated in any action without regard to human life or health. Again, the water is perfectly acceptable at the point of treatment. It after it runs the pipes where that changed.

You also need a point of law that allows

Re:

[HiThere]

Sorry, but though the water was acceptable at the place of treatment, the manager had been informed that it would result in poisonous levels of lead leaching into the water before it reached the users.

IIUC, it is always a judicial decision as to whether sentences should run consecutively or concurrently. I know that there have been cases in the past where different judges have decided differently, though I admit not knowing on what grounds.

Re:

[sumdumass]

Well, I just checked and near as I can tell, the state knew about children under 16 having elevated lead but not in the water. The state continued to deny it was a crisis for a few weeks later until some pediatrician made a claim directly about the water. The EPA had someone bring a notice about lead levels up internally but didn't act right away.

If you have evidence otherwise, please post it.

Re:

[JackieBrown]

You must work for a pretty small company if you are used to executives being involved in programing. Heck, most probably have no idea what a backdoor account is.

Re:

[Locke2005]

Sounds like treason to me... that's usually good for some really long jail time!

Re:

[HiThere]

Sorry, treason is rather specifically defined by the Constitution, and this doesn't fit the definition. I'm sure there are lots of other things that could fit it rather easily, though.

Re:

[currently_awake]

Having armed FBI agents backed up by a platoon of special forces visit the main office and interrogate the senior management would discourage repetition.

Re:

[bloodhawk]

The only thing the government is interested in preventing is the backdoors being so blatantly obvious and not in their hands.

Re:Distinctions

[MrTester]

Yeah, there is absolutely no value in pointing out our failures as a society. We should just accept life as it is and move on.
White men with power will make certain that women and minorities will never get the vote!

Drivel indeed.

Re:

[NoImNotNineVolt]

A few blog posts about how that isn't how things "should" work will change nothing. Wealth is power, and power includes the power to separate one's self from the consequences of one's actions. This is a non-negotiable fact of how humans do things, and will remain so into the foreseeable future.

Bernie 2016

Re:

[KGIII]

I am worth a very, very nice median 9 digit number - or close enough, counting assets what would be difficult to liquidate. I've not only spent a weekend in jail, I've paid my pot taxes (fines) more times than I can count.

However, I own a whole stable full of automobiles. I never, ever get stopped (no matter how fast I'm going) in some of those cars. That could be preferential treatment or it could be that I live in an area with a beautiful highway that sees almost no traffic but is kept in good repair for

Re:

[jones_supa]

Even if we choose to trust that you're not using these accounts for nefarious purposes (which we shouldn't), that's not the point. The point is that they exist at all, and just because you created them doesn't mean someone else cannot use them.

I was going to say the same. It possibly was not an intentional backdoor, but it can still be used as one. If it quacks like a duck and walks like a duck, it is a duck.

It is also quite facepalmy mistake. Some guy creates "Black Widow" and "Batman" accounts and this kind of stuff ends up to important government systems.

Re:

[Daniel Matthews]

It is a typo, Juan their marketing rep. meant to type de bugging.

Re:

[rtb61]

The better question is, well, if they were only used for debugging and you obviously were fully aware of their purpose and functionality, 'er', why the fuck were they not removed from production units. Why the hell would you need a debugging account in something you were never ever going to debug? The only sane logical answer, it was left in on purpose just because power trip by the morons at the top and billions to be made on insider trading. Hacks on top of hacks on top of hacks, insider trading feeding b

Re:

[Anonymous Coward]

Think about it for more than 2 seconds.

Re:

[KGIII]

That's 'cause Bill's a Back Door Man.

One might hope this illustrates danger of backdoor

[DutchUncle]

.... but somehow I doubt that the anti-encryption crowd will get the point. Instead they'll point out how they, as government, are a different category.

Re:One might hope this illustrates danger of backd

[gstoddart]

No, because the people advocating for backdoors still magically think only they can use the backdoors, and don't understand the reality that a backdoor is open to anybody who knows about it.

Don't ever expect those people to understand how their wishes diverge from reality.

Re:

[roman_mir]

All animals are equal but some are more equal than others.

Re:

[KGIII]

If I recall correctly, you come from a ex-Soviet Bloc country. Was that book available, read in school, digested, or?

Re:

[roman_mir]

Not before 1991. Worse than that, books censored just like everything else, many books and other materials were simply illegal to own.

Re:

[Locke2005]

Actually, Eisenhower got us into Vietnam, although Kennedy and Johnson escalated it. Nixon does wrongly take most of the flack for Vietnam, although he _eventually_ ended the war, but not before tens of thousands more died.

Renamed it to Batman

[Jason Levine]

Everyone knows that you should always be yourself. Unless you can be Batman, then be Batman.

*backdoor account access granted, Batman*

Documentation of the presidency will be available?

[Bruce66423]

Let's hope that someone has been recording the output for posterity; to hear the real story of a presidency for the first time since Nixon would be great...

Governent and backdoors

[Anonymous Coward]

I thought the government *wants* back doors in everything.

I'm confused now... Why would they have them removed?

Re:

[Rob MacDonald]

Silly pleb, the government wants backdoors into YOUR stuff, not theirs.

Why didn't they order more?

[Voltas]

It was my understanding that the US Government was in favor of putting security back-doors in everything? Are they just mad cuz it wasn't their backdoor?

Buried by lawsuits

[Joe Gillian]

Hopefully, AMX will be buried by thousands of incoming lawsuits for this childish behavior. The article never mentions what this backdoor would actually let someone with access to it do, but I'm assuming that the possibility existed for someone to use that backdoor to obtain classified or proprietary information. That they tried to hide the backdoor once it was discovered rather than immediately patching it out is just another piece of evidence usable by anyone wishing to sue them. I can foresee a large-sca

Re:Buried by lawsuits

[ArchieBunker]

The NSA probably "persuaded" them to install it. The NSA spied on congress and nothing happened. Nobody was fired or went to jail. Spying on the whitehouse isn't that far a stretch.

Re:

[rahvin112]

The NSA spies on everyone. They operate pretty much independently of the executive and legislative branches. Their leaders though technically serve the president they are often independent in the sense that the occupant tends to survive presidential replacement and their leadership comes from the military. For some reason the political leadership tends to view them as an extension of the military and thus "above politics".

The fact that neither the legislature or president are bothered by the NSA spying on t

Re: Buried by lawsuits

[slazzy]

They'll probably be given government grants to try and do better next time.

There's a simple solution

[Brett Buck]

Don't hook up critical resources where sensitive information is discussed to the internet! Or the phone, or any other network with clear-text external connections.

Re:

[Frosty Piss]

SIPRNET is on the Intertubes, not a separate set of tubes...

Re:

[AHuxley]

The pretty colors and glow displayed to the leaders are worth billions in funding.
Why did this happen?
Look at the sales teams, sorry "advisory boards" that sell and watch over what the US needs, to use or buy or offer a no bid contract for decades of networks.
The very few with any real counterintelligence, counterespionage or force protection analysis just seem to want to buy into the same systems they always used from the same teams they knew people in gov can to buy into... surrounded by many people wh

Better Names

[will_die]

You go from Marvel to DC and expect that to save you?
Should of gone something better maybe FatFreddy, CheechWizard or BettyVeronica.

Re:

[Rob MacDonald]

My money is on "totallynotabackdoor"

Error, summary!= article

[clovis]

Did the submitter even read the article?
The new account was not named "Batman". It was named "1MB@tMaN".

dot

[Ryanrule]

The government should really make this stuff in house.

Re:

[amxcoder]

Good luck with that. These systems are a platform for a very niche industry. They are programmed by very niche programmers in this industry. As a programmer of AMX and Crestron and Extron, it's a small market even when you include the fact that these are used in schools, corporate campuses, and governement. If the government engineered their own, and make their own platform, they would still need to have a big enough market to attract programmers to learn and implement these things.

Bin Laden Raid

[Anonymous Coward]

In the photos from a conference room during the Bin Laden raid, you can clearly see some AMX equipment on the table. Scary to think that a backdoor was present in their conferencing system when a sensitive operation was taking place.

Someone with backdoor access could have seriously fucked up the whole operation.

Re:

[amxcoder]

The most someone would have been able to do is "maybe" hang up a call or something. While this might have been an inconvenience, it's not like the people on the ground need the white house watching them to complete their mission. The higher ups that were watching live might have been upset only because they got disconnected on their ring-side seat to their "reality tv show".

New method of preserving secrecy needed....

[Sqreater]

We could call it, perhaps, "The Cone of Silence."

Re:

[Anonymous Coward]

We could call it, perhaps, "The Cone of Silence."

What?

Re:

[AHuxley]

A contractor could rediscover selling the US gov on handing out a limited number of one page executive summary papers and a build a walk in vault.
Patent the ability to type page one of one for each person attending. Ensure only one copy is handed out to each person and then collected at the end of the meeting.
Thats going to be one very expensive typewriter. Think of the contract for a new linotype machine :)

Delicious, delicious irony

[naasking]

Enough said. Though I doubt this will convince anyone in politics that encryption backdoors are a bad idea, period.

Not Normally Connected

[Jack Kolesar]

I'm an AMX programmer (and Crestron as well). I can tell you that A LOT of the time the A/V LAN is a completely separate system that isn't physically connected to the house network. But that is no excuse for leaving a backdoor. Of the two major competitors in commercial control (AMX and Crestron), AMX is usually considered the most secure. They put a high focus on security so that they can land these government jobs. Just to give you some background, Crestron controllers currently run embedded Windows and previously ran VxWorks. AMX controllers previously ran VxWorks and now run Embedded Linux. The AMX controllers have many levels of security including a DoD mode which shuts down most of the services (FTP, web, telnet and leaves SSH). Their proprietary communication between the panel and the controller (carried over port 1319 and registered) is also encrypted in secure mode (this generally carries button presses, text updates, levels, etc.). Sounds to me like the engineers didn't want to give up the backdoor account for service issues once it was discovered and likely didn't realize what a big mistake it was by the time it got passed down. I've met most of the people at AMX and they are very good guys and gals. It's an engineering driven company (not marketing driven). The Harman acquisition may change that to some extent but they are true geeks who I am sure realize they messed up. It's a small company (aside from the Harman parent) in a niche market. They will learn from this and move on.

Re:Not Normally Connected

[PPH]

isn't physically connected to the house network.

Stuxnet. Iranian centrifuges.

Re:

[mtmra70]

I'm an AMX programmer (and Crestron as well). I can tell you that A LOT of the time the A/V LAN is a completely separate system that isn't physically connected to the house network.

Maybe in government, somewhat in education (by VLAN only), pretty much never in corporate.

Re:

[Jack Kolesar]

OK. I'll give that to you. It's a valid point. You certainly see much more use of Fusion and RMS (Managment Tools) in the Corporate environment. Again, I wasn't trying to defend the action as much as defend the company. I do like their products and the team. It's a security hole. I should have chosen a better title for my post.

Re:

[amxcoder]

This is correct, I would venture that 90% of the systems I program for and have seen installed, have a local switch in the rack that interconnects the touch panels, processor, and a few other dedicated AV devices for the system. Their is nothing touching the clients network in these cases.

No excuse for leaving a backdoor?

[tetraverse]

Jack Kolesar: "I'm an AMX programmer (and Crestron as well). I can tell you that A LOT of the time the A/V LAN is a completely separate system that isn't physically connected to the house network. But that is no excuse for leaving a backdoor. ref [slashdot.org]

They didn't just leave a backdoor, they wilfully inserted one under instruction of the US spying apparatus. I do know that people are going to be very reluctant to use the product in the future.

Re:

[amxcoder]

If they were "made" to put one in by , then that means that Crestron would have them too. Crestron has higher market share in all the same places AMX does as they are competitors.

Re:

[amxcoder]

I'm am also an AMX programmer (see my username), and I program Crestron as well (main competitor). While this is all new news to me as well, I can concur with the OP on several topics.

Firstly: AMX doesn't make hardware dedicated to government use. It's used in in lots of places, schools, homes, businesses, churches, government facilities and the like. The headline makes it sound like it's a defense contractor that did this. No excuse here, though, as a backdoor on anyones network is not good, but it'

Re:

[Jack Kolesar]

Well, it doesn't make me happy. But I don't know why a customer wouldn't trust ME. I've now got to make sure that if we have these systems are connected to the network at installed facilities that they get a firmware update. That's part of service. With the initial release of the NX series processors, they discovered a 50 day lockup bug. That was corrected in firmware as well. We had to update those processors affected. That's just part of service. When your vehicle has a recall do you send it to th

We'll lose our lucrative government contract!

[kheldan]

I'll bet it went something like this:

Oh shit, someone managed to infiltrate us and install covert backdoor accounts in our products? What'll we do, the Government and Military will have a shit fit over this, we'll get all our contracts cancelled! We'll be ruined!

Calm down Fred, I've got it handled: We'll just tell them "Oh, those are just for our internal debugging, LOL, nothing to worry about!

..Yeah, you're right, Steve, no need to spook them, not like they're smart enough to know better, right? Guess my Porche payment will be on time this month after all!

Re:

[PPH]

Calm down Zhang, I've got it handled: We'll just tell them "Oh, those are just for our internal debugging, LOL, nothing to worry about!

FTFY

Re:

[Locke2005]

Can't you think of a funnier Chinese name than "Zhang"? I kinda like "Pu Ping" myself...

Back Door Man

[sammy_cda]

"Wha, yeah!, c'mon, yeah, yeah, c'mon, yeah I'm a back door man, I'm a back door man The men don't know, but the little girl understand"

Right...

[Locke2005]

As a software engineer, you have debug builds and production builds, and as a general rule you don't ship builds to customers with the debug features enabled... unless you're beta testing. The White House probably wouldn't be my first choice for a beta test site!

Simple solution

[Locke2005]

Arrest the corporate officers in charge of AMX for treason and put them in jail for 20 years. Then watch how quickly the rules for shipping software with "debug features" enabled change...

Re:

[currently_awake]

Or you could ban them from government contracts for 5 years. Money talks with this crowd.

Makes what Hillary did even more of a problem

[Anonymous Coward]

I think no matter what political side your on. We should be appalled at Hillary Clinton's unprofessional use of a home server for her email. Now that we know some of that was highly classified material, it becomes a national security problem that is worse by far than what General Petraeus did. Maybe some are so relating to her as poor old grandma who did not know better, or some incredible addition to her that you would overlook her being a murderer if you had too. But this is a national security mess and i

The government CAN'T complain.

[sehlat]

Under the "Do unto others as you would have them do unto you." rule. The government does it, so....

Why they called it "Batman"....

[jtara]

Nah nah nah nah nah nah nah nah,
nah nah nah nah nah nah nah nah!

That's why. They're basically flipping them the bird.

BAT-MAN!

Way older than most people think

[stikves]

These kind of backdoors have been around for a very long time. Remember "AWARD_SW", or "AMIBIOS"? Those passwords have opened so many BIOSes back in the day. It was helpful, until everybody started circulating lists. The manufacturers changed default passwords, but took a while for them to give up on those passwords entirely.

They help "lazy" operators and sysadmins, but they also help hackers as well.

I'm confused as to why they want them removed?

[wardrich86]

Why does the US Government want these backdoors removed? I thought they loved backdoors and wanted them installed on EVERYTHING? I mean, only good guys can use the backdoors, right? So what's the big deal?

this post has been brought to you by Sarcasm

Re:

[Anonymous Coward]

Nope, think of it like a Kwikset Smartkey deadbolt where you twist the faceplate, exposing a second lock cylinder.

This isn't a "debugging" tool.

I have personally seen "debug" access done properly:

1: The debug account is only accessible from a certain IP range.
2: The debug account is set to be inaccessible after a certain time.
3: The debug account uses a long passphrase.
4: The appliance website has an obvious note that the code is not for prime-time.
5: The debug account drops an entry into a log bucket.

Re:

[aaarrrgggh]

Personally I prefer a special recessed button to be pressed to go into debug mode, and for the display to indicate debug mode is active. Needs to be fully transparent... But how can you trust that it is?

Re:

[FatdogHaiku]

Don't think of it as a back door. Think of it as a front door with really big locks.

I'd rather it had great knockers:
https://www.youtube.com/watch?v=XTw1lzxTAis [youtube.com]

Re:

[Locke2005]

Reciprocal transparency, that's all I ask for!