Audiovisual devices made by AMX for government, education and business users contain a secret backdoor that allows full remote access without detection, security researchers have found.
European security firm SEC Consult discovered the hidden backdoor account by analysing an operating system program for user management on the AMX Netlinx NX-1200 AV controller, which is sold in Australia.
The binary contains a function named "setUpSubtleUserAccount", which adds a hidden user with administrative privileges, SEC Consult said.
Both the account username and password are stored persistently on the AMX NX-1200, meaning if an attacker has this information, they can potentially log on remotely to multiple devices.
That secret account is named BlackWidow, after a Marvel Comics superhero.
SEC Consult contacted AMX in March last year with details of the backdoor, and a patch was issued some seven months after the disclosure.
AMX, however, did not remove the backdoor with the patch. Instead, the company swapped the superhero user name to 1MB@tMaN, and the account with full administrative privileges, accessible via Secure Shell or a web interface, remained.
On top of normal administrative privileges, SEC Consult found the secret backdoor account can capture data packets on the device network interface. This is not possible with the local administrator account, the researchers said.
Some of AMX's products have been tested by the US Defence Information System Agency, and it has been entered on the country's joint interoperability test command approved products list, meaning they are certified as "secure command and control, conference, training and briefing room" solutions.
One promotional image on AMX's United States website shows president Barack Obama in front of a control panel sold by the company, along with secretary of state Hillary Clinton and other officials.
Several other AMX products contain the backdoor account, SEC Consult said, including some of its digital media switchers, all-in-one presentation switchers, control pads, and central controllers.
Yesterday, AMX issued another set of firmware updates for the products that can be downloaded by users on its website, or through authorised AMX or Harman Professional dealers.
SEC Consult has not tested the updated firmware packages to see if the backdoor has been removed.