This isn’t some strange fiction story in which two popular superheroes team up against the U.S. government. “Batman” – specifically “1MB@tMan” – and “BlackWindow” are codenames used for backdoor logins into conference room tools used by various governments around the world, including White House staff and other branches of the U.S. government.
The recently discovered backdoors could be used for spying, a research firm has said, although the creator of the affected products denies it all.
Austrian security firm SEC Consult discovered that AMX products contained these two backdoors, Forbes reports. The company is owned by Harman International, which acquired the firm for $365 million in 2014.
BlackWidow was first discovered in March 2015, at which point SEC contacted AMX about the discovery. The company released a patch seven months later, but in the meantime the Batman backdoor was discovered. SEC then struggled to get a response from AMX, but the company contacted the security firm on January 20th to tell them the second issue had been fixed on January 15th.
SEC found the security issues when looking at the firmware on AMX devices. The superhero accounts and corresponding passwords were easily discovered. “Any competent, determined hacker could do the same,” Forbes says.
While AMX devices aren’t typically connected to the Internet, some of them can be accessed that way even if the user doesn’t configure them to connect via the web.
It’s not clear what kind of data could be snooped on this way, but researchers said the accounts had “sniffing capabilities” well beyond what normal admin accounts should be able to do.
AMX products are used by the White House Press Secretary’s Office, the U.S. Air Force and the U.S. Army, as well as by 20th Century Fox and Unilever, according to the company. AMX also provided equipment for the 2002 and 2006 Winter Olympics.
A Harman spokesperson confirmed the superhero-named accounts, saying the chosen names were purely “lighthearted internal project names,” that have no intended meaning.
As for their functionality, Harman added that BlackWidow was an account used for legacy diagnostic and maintenance logins when the company’s customer support team troubleshoots technical issues.
“Commonly used in legacy systems, it was not ‘hidden’ as suggested, nor did it provide access to customer information,” the spokesperson said. “While such a login is useful for diagnostics and maintenance, during our routine security review in the summer of 2015, we determined that it would be prudent to eliminate this feature as part of a comprehensive software update. We informed our customers and the update was deployed in December 2015.”
Batman, meanwhile, was not a replacement for BlackWidow. Apparently, Batman allowed internal systems to communicate and it was not properly removed from commercial products.
Were AMX products used for spying? That’s hard to say, and likely impossible to prove. Forbes notes that the Irish police ombudsman believed that their AMX system may have been bugged in 2013, but an official inquiry said there was insufficient evidence to prove that the Garda Síochána Ombudsman Commission was hacked.