There seems to be very little written about the subject of AV and security. Why is that?
The cynic in me thinks the AV industry ignores security out of convenience, some because they don’t pay it enough attention, some because they can’t solve it and some because they don’t care enough. AV tech was generally seen as secure. It wasn’t networked, so there was no need to consider security. With the dawn of IP however that has dramatically changed. The world of online espionage, hacking, illegal streaming and, what I like to call, ‘digital graffiti’ has forced many AV technology companies to rethink; but not all.
Is there still a lack of understanding?
Understanding the risks associated with AV technology is a problem, absolutely. While there are some very visual and obvious challenges the industry can understand, there are others they don’t. We’ve seen a number of instances of window digital signage systems being hacked and displaying adult materials in public spaces, digital graffiti, which people understand; it’s a hack and a delinquent with a PC.
“Understanding the risks associated with AV technology is a problem, absolutely”
However, there is also risk of allowing digital signage system administrators seeing and using certain content within a CMS, or a disgruntled employee using the system to show a finger to their boss on their final day; understanding user management, having a system that supports workflow management and ensuring digital signage systems are inaccessible from outside of a corporate network can help with this.
When it comes to IPTV the security concern comes from the content owner, be that Sky, Dish, Foxtel or Mediacorp; they want assurance that an employee cannot re-broadcast the streams you are distributing on a corporate network to the World Wide Web. They also want to ensure the content is only accessible from where and when it should be; so having an IPTV solution with full content management platform with DRM, geo-located access and control of downloads can really help. For me, it isn’t a surprise that the AV industry doesn’t understand this, IPTV is a bit of a new thing to many. IPTV is and always has been more IT than AV, and getting more heavily so; the industry is moving away from the appliance/black box approach and moving more towards software, which brings with it further need for enhanced security and encryption.
Despite some of the horror stories in the press around cyber attacks, do you think the subject is being taken seriously enough?
I think most of the proper IPTV and digital signage vendors are taking cyber security seriously, those who deal with large scale enterprise clients. But with 1,000 plus digital signage software solutions in the market I’d be surprised if all of them were particularly interested in security.
How big and how real is the threat?
Vulnerability starts the minute a system is connected to the public internet and then only if the network firewall is not configured correctly. I wouldn’t say any solution is infallible, but some are more robust than others. Hacks aren’t very frequent, in my six years with Tripleplay I can’t recall anything other than a disgruntled IT employee sabotaging a digital signage deployment when nobody closed down his network access after being sacked. Most of these systems are off the radar of hackers as there is little they can learn from them and little damage they can do. Obviously you get the occasional public display of hacking on digital signage screens, but that is because a hacker sees the screen and thinks ‘I wonder if I can get into that’ rather than sitting at home thinking ‘I need to hack some digital signage’.
Would you say every company is a potential target for a hacker? From an AV perspective it just seems to be visible, public display environments that are targets. AV isn’t a widely known industry and its solutions generally fly under the radar. From a hacking perspective it would either be public displays and a mischievous computer whizz or a top level government job; either way, shouldn’t affect the masses.
Do you have any examples of where AV security has been compromised in digital signage and IPTV?
From an IPTV perspective, we’ve not seen much yet publicly but have heard tales. There is the risk now with the introduction of bring your own content with apps connecting to smart TVs that in densely packed hotels users can share adult materials to in-room smart TVs of other guests. That is of course, in hotels where the establishment has taken a shortcut and not implemented a robust IT-based system.
What’s your advice to readers that use digital signage in their business?
Solid IT systems are priority one, AV systems that standalone from the IT network are vulnerable if they have an internet connection, so protecting those behind the company’s IT systems adds a layer of protection. Once that protection is in place your AV solution should also have its own in-built security, encryption and protection; so doubles down from a network perspective. Then, at the endpoint level, devices need to be encrypted too and should not allow a feed to be extracted; for example a HDMI output from a digital signage screen. Beyond that, human risks are always a problem but again, much of that can be ring-fenced with the right systems and the right policies. Nothing is 100 per cent fail safe, but you can be ‘more’ safe with some solutions than others.
Is it possible to be attacked without knowing and how can they check?
Cyber-attacks by their nature are secretive and hard to spot, except when somebody emblazons pornography across a 60ft screen in a train station. However, the way IT systems monitor and log data you can generally tell if something has taken place or is currently taking place. Again though, this is an IT solution, many AV manufacturer solutions do not provide the ability to see if your system is being remotely accessed, monitor system login attempts, provide reports on access or backup settings so a client can quickly reset and reload content.
Anything else you’d like to add?
AV managers and technicians must embrace IT and they must embrace security. The industry is fast moving away from its traditional hardware base to a software industry and with that comes an intrinsic requirement to be secure. You will never have your product installed on the network if it does not adhere to corporate IT security polices and standards; start planning for it now.