A consultant’s view of the AMX security issue
Recently there have been a few people who would have you believe that “Networked AV is the single biggest threat to cybersecurity today.” Are the people who are saying this seriously stating that Networked AV poses a bigger threat to Cyber Security than social engineering or the other countless cybersecurity issues that end users can bring to a network?
For cyber security I am still much more afraid of the free USB storage devices that everyone picks up at tradeshows or the discussions or complaints that people have about their networks in public. I fear the way people write down passwords on sticky notes or how they login to their network from their home computer or public computers. I fear that people use cloud storage for their customer’s data and other truly cyber security scary things like these issues. Yes, I fear how everything being added as a network device can change the landscape of network security, but Networked AV is such a microcosm of that. It just seems ludicrous to say it is the biggest threat. Furthermore, Networked AV is most often made up of purpose built devices that are easily made secure by logically or physically segmenting them from the rest of the network.
When you talk about Networked AV, you are most often looking at simple devices that attach to the network that have functionality in audiovisual, some may even do streaming of audio and video. These devices attach to the network much like printers and computers. Security for these devices work the exact same way existing devices on the network does. If you want to protect them from being used you implement features and methods on your network that you currently use to lock devices down. Sure you should seek out devices that have built in security features (like for streaming you would look for encryption and such), but your network must provide the needed security as well. No Networked AV device is going to make your network more secure than it already is. If you lock your network down properly and segment it away properly, no networked AV device can make your network less secure. I know I can confidently say this because I know that you can implement a separate physical network to run Networked AV if you really needed to. By doing that, your original network is no less secure.
AMX and their BACKDOOR issue – Here are the top three reasons I think the article in Forbes (and a few other places) is just a lot of hype and fear mongering:
- The main article opens with mention of a backdoor vulnerability that Juniper had with a product that allowed for sniffing on the network by a snoop. This has no relation to what the AMX backdoor account does and the statement is used only to sensationalize the article and to fear monger. Juniper products are LAN/WAN products that are part of the infrastructure not endpoints. When a product is part of the infrastructure it determines the network’s security. These particular AMX products are endpoints and are in part protected by the network topology and security (i.e. physically or logically segmentation).
- At another point in the main article there is mention of the consulting firm not taking the research far enough to actually find out what the users of the backdoor accounts would actually be able to do once they exploited the vulnerability. Clearly the researchers have no clue what AMX control systems do and were completely unaware that the “hacker” would be limited to source switching and other such control sets. However, again for sensationalism at this point the writer choses to mention AMX case studies with military and the U.S. President. The writer takes it even further by bringing up a case that had to be dropped due to lack of evidence and the accusation having no substantiation with regard to spying.
- The writer mentions that SEC Consult determined that if the AMX devices were configured in such a way or mistakenly configured that an outside user could use a general search for AMX and can find these devices on the internet and then exploit the vulnerability. This would require the control panel to be placed on the internet. This is NEVER the case.
The bottom line is that sure the backdoor accounts were not necessary, but they are by no means a major concern and at best they are a very minor maintenance task to be taken care of upon the next maintenance run. The way the article is spun and the direct assault on AMX is more suspect than the vulnerabilities in the article. I came away after reading it thinking the consulting firm has an axe to grind with AMX. I came away definitely believing that the Forbes writer had it out for AMX. I really did not see much objectivity in that article.
Written by Max Kopsho, Principal – Thorburn Associates
This Article is a reprint from an original post on LinkedIn, posted here with full permission, copyright Max Kopsho.