
Backdoor account in several AMX (Harman Professional) devices - FireFart
http://blog.sec-consult.com/2016/01/deliberately-hidden-backdoor-account-in.html
======
finid
> As usual, SEC Consult Vulnerability Lab communicated this issue according to
> our responsible disclosure policy. Initial contact and exchange of the
> security advisory was performed through the European sales team at AMX.

My stance with these things, is if it's a backdoor, "responsible disclosure"
is out the window.

Just expose the criminal to the public.

~~~
pavel_lishin
> My stance with these things, is if it's a backdoor, "responsible disclosure"
> is out the window.

Responsible disclosure doesn't just protect the company who built the product;
it also protects all the people who bought it.

~~~
throwaway2048
unless of course bad people are abusing it (they are smart enough to find
these things too)

~~~
pavel_lishin
But not 100% of the potential abusers will know about the backdoor.

By disclosing irresponsibly, you're making an actual attack _much_ more
likely, since now theoretically _every_ bad actor now knows about it.

~~~
throwaway2048
you have no way to quantify those numbers, "irresponsible disclosure" is
frankly, just a bullshit term.

~~~
pavel_lishin
> _you have no way to quantify those number_

Neither do you, therefore we're just having a bullshit argument.

------
matt_wulfeck
When selling things to the federal government that are used for the transfer
of classified and top secret information, isn't there at least some checklist
that the Gov't asks?

1\. Is this product backdoored?

If they say "no", and they turn out to be lying, then there should be criminal
prosecution brought against the company. This seems like a no-brainer.

~~~
LinuxBender
That would be a tough one to get a simple answer from.

Legally, they could say "no." because the backdoor might legally be a "lawful
intercept" or "super-duper debugging thing" or "cheney's naughty dungeon".

~~~
matt_wulfeck
I would assume they are smart enough not to sell the same version to the White
House.

------
Mandatum
Given the backdoor was reimplemented immediately, can we safely assume there
is external pressure to have this available?

Would be interesting to see an email dump of AMX after the disclosure here to
see how far down the rabbit hole it goes.

~~~
mercora
They could at least try harder to cover the new access method. I really wonder
why they did not. They should have assumed that this particular backdoor will
be disclosed. So even in the event of having legitmate use cases for access
like this they still decided to endager their customers.

------
jlgaddis
Wow.

So, Hanlon's razor in this case: malice or stupidity?

~~~
dsp1234
_malice or stupidity?_

FTA:

"These tools are only available to our superhero as the power they hold should
not be available to simple administrators."

Then the tell the researchers it is "fixed", but just change from BlackWidow
to "1MB@TMaN".

Realistically, it's a tech support account for onsite troubleshooters. Also
realistically, it's not well guarded, and thus is certainly exploitable by
basically anyone.

~~~
protomyth
"These tools are only available to our superhero as the power they hold should
not be available to simple administrators."

Yeah, I tend to add companies that make statements like this to my banned
vendor list. Its up there with telling me that I have to pay GSA pricing
instead of Educational prices because we're a tribal community college or
charging for firmware upgrades to fix bugs for servers.

~~~
egypturnash
I'm pretty sure that's a quote from the person documenting the backdoor, not a
public statement.

------
vvanders
The punchline reminded me of the JS "nan nan nan batman"
joke([https://www.youtube.com/watch?v=FqhZZNUyVFM](https://www.youtube.com/watch?v=FqhZZNUyVFM)).

