Lots of companies — and even the White House — use a conference calling system that could possibly be tapped by hackers, according to new research.
On Thursday, cybersecurity experts at SEC Consult revealed a secret doorway that’s built into a popular conference calling product built by a company called AMX.
AMX makes tablet panels used to control conference calls for businesses, government agencies and universities.
The company hard-coded backdoor access into its system. AMX created a “secret account” with a permanent username and password, which means a hacker who already sneaked into a computer network could tap into actual meetings, if the hacker knew the backdoor access code.
It’s a glaring security hole.
SEC Consult researchers discovered the questionable computer code, detailing it in a blog post Thursday.
Harman, the American tech firm that makes AMX systems, acknowledged the issue — but called it an intentional feature. The company said it disabled the access point through a software update in December.
But cybersecurity experts say it’s still serious.
“This is tantamount to handing over an unlocked military/government smartphone or computer system to an enemy,” said Phil Hagen, who teaches cybersecurity professionals at the SANS Institute. “It’s a huge problem that anyone with the ‘secret account’ credentials could theoretically access those devices.”
The White House didn’t immediately respond to questions about security concerns.
David Kennedy, CEO of cybersecurity firm TrustedSec, compares the seriousness of this AMX problem to last month’s discovery of a backdoor hack in Juniper Networks computer equipment used by the U.S. government and corporations everywhere.
Some, like WhiteHat Security’s Jeremiah Grossman, went as far as to say that anyone who uses this conference calling system “should be considered compromised.”
An innocent mistake?
Computer security experts told that it seems like a case of sloppy computer programming. The access point was probably built for fixing problems during product development and accidentally left in.
In its report, SEC Consult points out that AMX created a secret account with a coded name that translates to “BlackWidow.” The cybersecurity firm notified AMX, which fixed the problem sometime in the next seven months.
But then SEC Consult researchers looked again and discovered that the secret account still existed — only this time it was called “1MB@tMaN.”
The fact that both names are references to comic book superheroes has cybersecurity experts asking whether this backdoor is a deliberate attempt by AMX to create a secret access point.
Actually, BlackWidow was indeed a backdoor.
Harmon company representative Darrin Shewchuk explained that BlackWidow was a “diagnostic and maintenance login for customer support of technical issues.” Though it was never meant to be secret, he said.
Meanwhile, the Batman reference was “an entirely different internal feature” that let internal devices talk to one another. It wasn’t a replacement backdoor.
Shewchuk said the names were just internal company humor.
In the notoriously paranoid computer security field, this existence of a backdoor leaves some wary of the potential for espionage.
“There can be no other explanation for the presence of this other than to provide a secret backdoor into the product,” said Jeremiah Talamantes, president of cybersecurity firm RedTeam Security.
Either way, it’s a deemed a risk.
“It’s a massive problem, even if accidental — unconscionable if deliberate,” Hagen said.