Backdoor in security means hackers could tap into corporate conference calls

NEW YORK — Lots of companies — and even the White House  use a conference calling system that could possibly be tapped by hackers, according to new research.

On Thursday, cybersecurity experts at SEC Consult revealed a secret doorway that’s built into a popular conference calling product built by a company called AMX.

AMX makes tablet panels used to control conference calls for businesses, government agencies and universities.

The company hard-coded backdoor access into its system. AMX created a “secret account” with a permanent username and password, which means a hacker who already sneaked into a computer network could tap into actual meetings, if the hacker knew the backdoor access code.

It’s a glaring security hole.

SEC Consult researchers discovered the questionable computer code, detailing it in a blog post Thursday.

Harman, the American tech firm that makes AMX systems, acknowledged the issue — but called it an intentional feature. The company said it disabled the access point through a software update in December.

But cybersecurity experts say it’s still serious.

“This is tantamount to handing over an unlocked military/government smartphone or computer system to an enemy,” said Phil Hagen, who teaches cybersecurity professionals at the SANS Institute. “It’s a huge problem that anyone with the ‘secret account’ credentials could theoretically access those devices.”

The White House didn’t immediately respond to questions about security concerns.

David Kennedy, CEO of cybersecurity firm TrustedSec, compares the seriousness of this AMX problem to last month’s discovery of a backdoor hack in Juniper Networks computer equipment used by the U.S. government and corporations everywhere.

Some, like WhiteHat Security’s Jeremiah Grossman, went as far as to say that anyone who uses this conference calling system “should be considered compromised.”

An innocent mistake?

Computer security experts told CNNMoney this seems like a case of sloppy computer programming. The access point was probably built for fixing problems during product development and accidentally left in.

In its report, SEC Consult points out that AMX created a secret account with a coded name that translates to “BlackWidow.” The cybersecurity firm notified AMX, which fixed the problem sometime in the next seven months.

But then SEC Consult researchers looked again and discovered that the secret account still existed — only this time it was called “1MB@tMaN.”

The fact that both names are references to comic book superheroes has cybersecurity experts asking whether this backdoor is a deliberate attempt by AMX to create a secret access point.

Actually, BlackWidow was indeed a backdoor.

Harmon company representative Darrin Shewchuk explained that BlackWidow was a “diagnostic and maintenance login for customer support of technical issues.” Though it was never meant to be secret, he said.

Meanwhile, the Batman reference was “an entirely different internal feature” that let internal devices talk to one another. It wasn’t a replacement backdoor.

Shewchuk said the names were just internal company humor.

In the notoriously paranoid computer security field, this existence of a backdoor leaves some wary of the potential for espionage.

“There can be no other explanation for the presence of this other than to provide a secret backdoor into the product,” said Jeremiah Talamantes, president of cybersecurity firm RedTeam Security.

Either way, it’s a deemed a risk.

“It’s a massive problem, even if accidental — unconscionable if deliberate,” Hagen said.

ad-high_impact_4
Life
The Meadows School founding kindergarten teacher retires after 34 years at the school
Linda Verbon, founder of the The Meadows School's kindergarten program and the first faculty member hired at the school, retired in the spring after 34 years at The Meadows. (K.M. Cannon/Las Vegas Review-Journal)
Kids become firefighters at Fire Station 98 open house
Henderson residents wore fire hats, learned about CPR and met firefighters at the Fire Station 98 open house Saturday, August 11, 2018. (Marcus Villagran Las Vegas Review-Journal) @brokejournalist
People from all over the world attend RollerCon 2018
RollerCon 2018 is a five-day convention focused on the roller derby community and culture at Westgate in Las Vegas. (Marcus Villagran/Las Vegas Review-Journal) @brokejournalist
Camp Broadway teaches kids how to sing and dance
The Smith Center's seventh annual Camp Broadway musical theater program gives 150 kids ages 6-17 an opportunity to learn musical theater skills from industry professionals over a five-day period. Marcus Villagran/ Las Vegas Review-Journal @brokejournalist
Las Vegas police officer on being PETA's Sexiest Vegan Next Door
Las Vegas police officer David Anthony talks vegan lifestyle and how he feels about being voted PETA's sexiest Vegan next door from his home on Monday, July 9, 2018. (Marcus Villagran/Las Vegas Review-Journal) @brokejournalist
'NO H8' Campaign comes to Las Vegas
Hundreds of locals participate in the NO H8 campaign founded by Adam Bouska and Jeff Parshley as a response to Proposition 8, a California ban on same-sex marriage. The campaign has since evolved to represent equal treatment for all. (Marcus Villagran/Las Vegas Review-Journal) @brokejournalist
Over 40,000 People Attend The 4th Of July Parade In Summerlin In Las Vegas
Over 40,000 People Attend The 4th Of July Parade In Summerlin In Las Vegas. (Janna Karel Las Vegas Review-Journal)
Star Wars and Golden Knights mashup at downtown art shop
Star Wars and Vegas Golden Knights fans attend the Boba Fett Golden Knight Paint Class at The Bubblegum Gallery in Las Vegas, Friday, June 29, 2018. (Marcus Villagran/Las Vegas Review-Journal) @brokejournalist
TOP NEWS
News Headlines
ad-infeed_1
ads_infeed_2
Local Spotlight
Add Event
Home Front Page Footer Listing
Circular
You May Like

You May Like