"These tools are only available to our superhero as the power they hold should not be available to simple administrators."
Then the tell the researchers it is "fixed", but just change from BlackWidow to "1MB@TMaN".
Realistically, it's a tech support account for onsite troubleshooters. Also realistically, it's not well guarded, and thus is certainly exploitable by basically anyone.
The existence of such an account isn't the WTF worthy feature. The lack of documentation for said account is. It might also be a good idea to have a fail-safe for using the account. For example, if an Administrator level account just logged /in/ (within the last 5 min) then allow field service login. The fail-safe would be the inverse, if /no one/ has logged in within 72 hours allow field service.
"These tools are only available to our superhero as the power they hold should not be available to simple administrators."
Yeah, I tend to add companies that make statements like this to my banned vendor list. Its up there with telling me that I have to pay GSA pricing instead of Educational prices because we're a tribal community college or charging for firmware upgrades to fix bugs for servers.
2) the backdoor password is encrypted using a strong cipher set, with a public key. The private key is held by the manufacturer HQ. The encrypted password is made accessible (if it's encrypted with a 4096 bit key, not even the NSA should be capable of decrypting it).
3) In case of fire, on-site troubleshooter breaks the glass eh emails the encrypted key to HQ, where it's decrypted by someone with access to the HSM with the private key on it and then dictated by phone to the on-site troubleshooter. Also, after troubleshooting, HQ supplies the system with a new public key and swaps the old one on the HSM.
I don't see what this has to do with your comment's parent.
Also, there is no such thing as "not even the NSA should be capable of decrypting it" without also mentioning a timeline. Everything is theoretically decryptable in the future (by the NSA or by non-state actors) assuming computing power grows as time goes on. The supercomputer currently in my pocket is capable of more computing power than all of the digital computers in the world combined the year the NSA was first created.
If quantum computing turns out to break all traditional symmetric and asymmetric encryption (as some many suspect is possible), it likely doesn't matter how many bits your encryption scheme uses -- it will eventually get broken if that's the desire of your adversary.
Also, I see a few potential problems with your scheme. What happens if the HQ gets hacked and all private keys and public keys are leaked (say, by an adversarial nation-state)? The device becomes useless from a security standpoint until a software/firmware upgrade occurs, and then there's no guarantee that HQ didn't have an advanced persistent threat installed. By opening a hidden "hero" account at all, you are introducing additional attack surface area that doesn't need to exist. There are some devices that simply should not have backdoors. The more we allow companies to backdoor products and not pay (criminal punishments, civil punishments, customer/public/press backlash), the more we will end up suffering from insecure systems in the future.
In this case it will be very hard to come up with a plausible deniability scenario. But I'm pretty that's their priority number 1 to come up with such a story.
I always prefer innocent explanations, but in this case it's hard. They created an additional account. Okay, you could say they did that (as they say) for debugging purposes.
But if it's only for debugging, why did they add extra code to hide the account? That's hardly explainable. The most "innocent" explanation is that they wanted to have a way to do support on these devices without the user being aware of that. That's bad enough and definitely lying to their users.
> As usual, SEC Consult Vulnerability Lab communicated this issue according to our responsible disclosure policy. Initial contact and exchange of the security advisory was performed through the European sales team at AMX.
My stance with these things, is if it's a backdoor, "responsible disclosure" is out the window.
It's amazing how many of these "backdoors" are showing up. Including ones which were obfuscated so as not to be visible to people reading the code.
This is looking very suspicious.
Why are are there no prosecutions under the Computer Fraud and Abuse Act, under the "exceeds authorized access" provision? In many cases, no EULA would get the vendor off the hook, because that doesn't help in criminal prosecutions. Also, the party spied upon may not be the one who bought the device or software, so they're not limited by the EULA.
When selling things to the federal government that are used for the transfer of classified and top secret information, isn't there at least some checklist that the Gov't asks?
1. Is this product backdoored?
If they say "no", and they turn out to be lying, then there should be criminal prosecution brought against the company. This seems like a no-brainer.
That would be a tough one to get a simple answer from.
Legally, they could say "no." because the backdoor might legally be a "lawful intercept" or "super-duper debugging thing" or "cheney's naughty dungeon".
Honestly, I don't think a checkbox question is enough for equipment used to handle top-secret information. The government should have demanded and audited the source code before buying it.
They could at least try harder to cover the new access method. I really wonder why they did not. They should have assumed that this particular backdoor will be disclosed. So even in the event of having legitmate use cases for access like this they still decided to endager their customers.
28 comments
[ 2.9 ms ] story [ 74.9 ms ] threadSo, Hanlon's razor in this case: malice or stupidity?
FTA:
"These tools are only available to our superhero as the power they hold should not be available to simple administrators."
Then the tell the researchers it is "fixed", but just change from BlackWidow to "1MB@TMaN".
Realistically, it's a tech support account for onsite troubleshooters. Also realistically, it's not well guarded, and thus is certainly exploitable by basically anyone.
They didn't fix it at all, they simply tried to "re-hide" the hidden account.
Yeah, I tend to add companies that make statements like this to my banned vendor list. Its up there with telling me that I have to pay GSA pricing instead of Educational prices because we're a tribal community college or charging for firmware upgrades to fix bugs for servers.
1) every hour the backdoor password is randomized
2) the backdoor password is encrypted using a strong cipher set, with a public key. The private key is held by the manufacturer HQ. The encrypted password is made accessible (if it's encrypted with a 4096 bit key, not even the NSA should be capable of decrypting it).
3) In case of fire, on-site troubleshooter breaks the glass eh emails the encrypted key to HQ, where it's decrypted by someone with access to the HSM with the private key on it and then dictated by phone to the on-site troubleshooter. Also, after troubleshooting, HQ supplies the system with a new public key and swaps the old one on the HSM.
Also, there is no such thing as "not even the NSA should be capable of decrypting it" without also mentioning a timeline. Everything is theoretically decryptable in the future (by the NSA or by non-state actors) assuming computing power grows as time goes on. The supercomputer currently in my pocket is capable of more computing power than all of the digital computers in the world combined the year the NSA was first created.
If quantum computing turns out to break all traditional symmetric and asymmetric encryption (as some many suspect is possible), it likely doesn't matter how many bits your encryption scheme uses -- it will eventually get broken if that's the desire of your adversary.
Also, I see a few potential problems with your scheme. What happens if the HQ gets hacked and all private keys and public keys are leaked (say, by an adversarial nation-state)? The device becomes useless from a security standpoint until a software/firmware upgrade occurs, and then there's no guarantee that HQ didn't have an advanced persistent threat installed. By opening a hidden "hero" account at all, you are introducing additional attack surface area that doesn't need to exist. There are some devices that simply should not have backdoors. The more we allow companies to backdoor products and not pay (criminal punishments, civil punishments, customer/public/press backlash), the more we will end up suffering from insecure systems in the future.
Story time :)
My bet would be on "legal support framework".
But if it's only for debugging, why did they add extra code to hide the account? That's hardly explainable. The most "innocent" explanation is that they wanted to have a way to do support on these devices without the user being aware of that. That's bad enough and definitely lying to their users.
My stance with these things, is if it's a backdoor, "responsible disclosure" is out the window.
Just expose the criminal to the public.
It's amazing how many of these "backdoors" are showing up. Including ones which were obfuscated so as not to be visible to people reading the code. This is looking very suspicious.
Why are are there no prosecutions under the Computer Fraud and Abuse Act, under the "exceeds authorized access" provision? In many cases, no EULA would get the vendor off the hook, because that doesn't help in criminal prosecutions. Also, the party spied upon may not be the one who bought the device or software, so they're not limited by the EULA.
Responsible disclosure doesn't just protect the company who built the product; it also protects all the people who bought it.
By disclosing irresponsibly, you're making an actual attack much more likely, since now theoretically every bad actor now knows about it.
Neither do you, therefore we're just having a bullshit argument.
1. Is this product backdoored?
If they say "no", and they turn out to be lying, then there should be criminal prosecution brought against the company. This seems like a no-brainer.
Legally, they could say "no." because the backdoor might legally be a "lawful intercept" or "super-duper debugging thing" or "cheney's naughty dungeon".
Would be interesting to see an email dump of AMX after the disclosure here to see how far down the rabbit hole it goes.
but good luck getting anyone on HN to acknowledge it. Officer Barbrady doppelgangers everywhere, stating "nothing to see here, move along".