Cybersecurity malware-research

Harman AMX multimedia devices contain ‘Batman’ and ‘Black Widow’ backdoors

The Batman backdoor and the Black widow backdoor can be found in Harman AMX multimedia devices which are used in conference rooms and so on.

The backdoors Batman and Black Widow are claimed to be a “debugger” account for an engineer which worked on the AMX products – the claim is that the engineer forgot to remove the debugger account from the firmware.

As a result of that error, the firmware was used on all the Harman AMX multimedia devices.

AMX does claim to have fixed this issue in their latest hotfix, which has been released on their site.

The hotfix focusses on the following:

  • Fixed LDAP processing to increase the maximum number of returned results allowed
  • Fixed LDAP to limit the search scope to either the admin or user group
  • Fixed LDAP return result checking to be case insensitive (which matches LDAP and NX master behavior)
  • Fixed DATA.SOURCEIP so that it supports IPv6 addresses (for connection with NX master)
  • Removed debugging account to prevent security vulnerability
  • Fixed SSL certificate request form which wasn’t storing user inputs
  • Fixed SSL certificate values to be persistent through system reboot

The security company which performed the penetration test on the Harman AMX multimedia devices stated the following recommendation (full report here):

Attackers are able to completely compromise the affected devices as they can gain higher privileges than even administrative access to the system via the backdoor. It is highly recommended by SEC Consult not to use these products until a thorough security review has been performed by security professionals and all identified issues have been resolved. – SEC Consult

As you can tell from the report and the recommendations from SEC Consult, it is strongly adviced to update the firmware to the latest firmware.

AMX DGX16-ENC (Digital Media Switchers)

The “Black Widow backdoor” and the “Batman backdoor” can allow threat actors to fully dominate the network/device via the compromised device.


Founder of