In the first part of this special report into cybersecurity we outlined the increasing threats presented by networked AV and revealed the training and information available to the industry. Here Ian McMurray looks at the practical implications and considers the factors that are often overlooked when it comes to installation security.
Rainer Stiehl, Extron VP of marketing for Europe starts with the fundamentals.
“The easiest way to minimise potential vulnerabilities is to implement password and connectivity standards,” he declares. “For example; change default passwords on products and in software.”
That’s something that Paul Zielie, manager, enterprise solutions, Harman Professional Solutions, feels strongly about. “By far the most common way in which AV systems are accessed by people who should not have access is by installers leaving the default user names and passwords in an operational system,” he echoes. “This is a practice, often justified by convenience, which has no place in a modern AV system.”
“Also,” continues Stiehl, “in an era where every AV device is expected to be connected to the network, use a VLAN strategy in combination with other networking techniques to limit access to devices or what those devices may access.”
Kenneth Noyens, advanced technical support manager at Crestron EMEA, picks up Stiehl’s point about the need for VLANs.
“Authentication is vital,” he considers. “A lot of AV equipment is put on the network without authentication enabled, meaning that anyone can connect from internally on the network or externally when remote access is configured. I would strongly recommend setting up authentication on our boxes, making sure that only validated users can configure and make changes to them. This way, you limit people configuring or messing around with the AV boxes. An active directory can be used to set up a central management of user access and avoid the use of a standard set of passwords for all your AV devices. As an extra layer, we also see customers implementing a decent level of firewalling between their different internal VLANs, making sure that only qualified people can reach the AV systems in the first place.”
The biggest problem we see is that people expose their systems to the internet without any firewall rules or authentication enabled
Rainer Stiehl, Extron
“The biggest problem we see is that people expose their systems to the internet without any firewall rules or authentication enabled, leaving all ports exposed to an external IP address,” he emphasises. “This will definitely have a bad impact on your AV system. Anyone with bad intentions on the internet can scan for open ports. Once found, they can change configuration, change the program and take your systems offline. We also see that automated or scripted scans trying many different usernames and passwords per second. This will use bandwidth and system resources, slowing down the overall user experience.”
Keren Lipshitz, director, head of control and solutions division at Kramer Electronics, also sees some basic things that should be done.
“In the same way that a company will look to isolate a visitor’s Wi-Fi connection from the company’s network, that should equally be done with a visitor’s AV connection,” she says. “Ensuring isolation between a visitor device and the company’s AV equipment shouldn’t just be something that high-security organisations do – it should be done by any organisation wishing to protect their network and data.”
Lipshitz also notes the inherent insecurity that can exist in digital video, with HDMI/DP cable connections being an obvious target.
“Today, most of the companies who are not involved in the defence market don’t protect their digital video connections,” she adds. “By leaving this connection exposed, they are enabling hackers to penetrate their systems.”
Do you recognise any of these?
They’re five of the most popular username/password combinations and will, according to cybersecurity company Positive Technologies, get you access to one in 10 IoT devices. That’s millions of devices… The Mirai botnet, which has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, used only 62 username/password combinations.
For Zielie, understanding the specifics of the application is imperative.
It’s about workflows
“Often, too little attention is paid to the AV workflows and the potential security risks which may be accessible to any user,” he says. “There are often functions within the workflow which should be privileged. For example, a university may want to allow anyone access to projection, but only allow instructors to have access to lecture capture and remote classroom capabilities.”
“An integrated AV system – IAVS – consists of several classes of device configured and programmed to operate as a single system,” he goes on. “Because IAVS functions as a system, security validation is best achieved as a system, rather than by individual components. Additionally, the same components may be reconfigured and programmed in order to achieve various goals and workflows. For this reason, it is best to segment the security accreditation into two areas – platform architecture and application workflow.”
It becomes apparent, talking to the industry, that one of the keys to maximising installation security is not to underestimate the potential for risk in almost anything that’s attached to the network. Lipshitz has an excellent example.
“There’s no doubt that Smart TV operating systems are vulnerable,” she says. “In fact, all displays are vulnerable to attacks that target low-level controls that they all have in common – for settings such as luminance, refresh rate, contrast ratio and so on. That threat is exacerbated in many KVM systems where two computers share the same monitor, in which computer-to-monitor communication is done via low-level functions transmitted undetectably over the monitor’s cable. This communication is not monitored by any antivirus or intrusion detection and prevention systems.”
Lipshitz notes that one of the reasons Kramer signed a global distribution agreement with cybersecurity manufacturer Highseclabs (HSL) was to ensure its customers were not exposed to this vulnerability.
“All HSL-Kramer combined products are designed to support isolation between networks with different security classifications,” she notes. “That’s hugely valuable in applications such as finance, healthcare and defence.”