Security holes and how to avoid a fall
The AV/IT convergence trend is just one example of why cameras, displays and other systems are increasingly vulnerable. Tim Kridel explores how to mitigate and monetise those risks.
What’s the world’s fastest-growing insurance product? It’s not health. It’s hackers. Businesses will spend about €4.6 billion on cyber insurance premiums next year and at least €6.8 billion annually by 2020, PricewaterhouseCoopers estimates.
“Cyber insurance could soon become a client expectation, and insurers that are unwilling to embrace it risk losing out on other business if cyber products don’t form part of their offering,” PwC says.
The same can be said about AV security. In fact, Stephen Patterson, Biamp Systems EMEA sales development director, told InAVate last month that some clients will double their AV budget if the recommended solution is shown to meet their security requirements.
There’s no shortage of cautionary tales to help persuade clients to pay a premium for a secure solution. Case in point: In September 2016, hackers infected thousands of surveillance cameras, DVRs and other devices, and then used them to generate 620 Gbps of traffic in the world’s largest distributed denial-of-service (DDoS) attack.
“The AV system probably isn’t the target. But you also can’t allow the AV system to be a handy platform to shoot at the accounting system.”That story has two morals. First, the AV gear involved reportedly was consumer grade. That aspect can help persuade clients to choose pro products.
Second, many of those devices were vulnerable because their firmware was old and unpatched. That aspect can help persuade clients to consider a managed service contract that includes implementing patches.
“Maintaining device firmware and software is critical to ensuring the latest security patches are present,” says James Meredith, WyreStorm Technologies product experience manager. “This should form part of the service contract with the client as it’s another reason to justify the contract cost.”
Another potential way to justify the fee is to compare it to the cost of a hack. There’s no shortage of publicly available studies to cite, such as Ponemon Institute’s annual “Cost of Data Breach Study,” which breaks out amounts by country. Another is NetDiligence’s “Cyber Claims Study,” which says the average for a large company is almost €5.5 million.
So many threats, so little time
At many clients, AV is the responsibility of the IT department, which understands the importance of timely patches and updates. But understanding and doing are two different things. For example, ransomware is rampant in the business world even though that method has been around for decades. But one reason why it still works is because overworked IT departments struggle to update just major platforms such as Windows.
Everything else, such as browsers and productivity software, typically gets patched when there’s time, which can be a long time. That’s why a Hewlett Packard Enterprise study found that the top 10 exploits were more than one year old, and 68% were at least three years old.
AV not only adds to the patch workload; it’s also stuff that’s still relatively new and unfamiliar to IT departments. That means they may not know where vulnerabilities lie, how to mitigate those risks and so on. Hence the appeal of an AV firm offering to shoulder those responsibilities.
Of course, to offer that kind of managed service, integrators need solutions capable of updating hundreds or thousands of client systems—remotely and quickly. Trying to do that manually erodes the contract’s profit margin and can leave the window of opportunity open for hackers. The good news is that there’s a growing selection of central-management tools.
“Centralised control of all display systems with management software such as NEC’s NaviSet Administrator, enables proactive protection and a swift reaction should it be required with immediate access to your entire estate,” says Thomas Walter, NEC Display Solutions Europe section manager, strategic product marketing.
To get the most out of such tools, integrators need to have staff who keep an eye on emerging threats and know how to quickly get patches and updates for affected systems. March Networks is an example of how some vendors are helping with that task. A few years ago, it added a section to its website devoted to security advisories and updates, partly to help resellers and end users worried after reading the latest news reports about hacks.
“They pop up in the press, and people get very concerned,” says Dan Cremins, global leader of product management. “We’ll tell you exactly which of our products are affected and the version you need to [implement], or we’ll say it’s not applicable to our products.”
Don’t be the weak link
It’s also worth keeping an eye on trends in IT, such as emerging architectures that could be used to help secure AV. One example is software-defined networking (SDN), which some enterprises have begun implementing for reasons such as greater flexibility for managing traffic loads. SDN makes it easier to partition off sections of the network for certain devices and applications, such as to keep malware from infecting AV gear.
“The top vulnerabilities in an AV system are very similar in a lot of ways to any other system, IT or otherwise.” Some enterprises also are using SDN for Internet of Things (IoT) applications, including building-management systems that a few AV firms have expanded into. From a security perspective, IoT and AV are similar in the sense that they can be back doors for hackers seeking bigger targets.
“The AV system probably isn’t the target,” says Paul Zielie, Harman Professional enterprise solutions manager. “If it is, it’s probably for vandalism. But you also can’t allow the AV system to be a handy platform to shoot at the accounting system.”
That’s basically what happened at Target in 2014. The retailer gave an HVAC contractor access to its IT network for tasks such as billing, contract submission and project management. Hackers focused on the contractor to create a back door into Target’s payment system, where they grabbed credit and debit card numbers and other information for about 110 million customers.
The Target attack is noteworthy for another reason: The HVAC contractor is small compared to Target, just like many AV integrators are small compared to their clients. That can create a false sense of security: “We’re too small for hackers to care about.” Another is, “We don’t have hundreds of thousands of credit card numbers, so why would they target us?”
Wrong. The takeaway is that AV firms need to protect themselves in order to protect their customers.
“The top vulnerabilities in an AV system are very similar in a lot of ways to any other system, IT or otherwise,” says Kieran Walsh, Audinate senior technical solutions manager. “A general concept of security is ‘access, authentication and auditing.’
“Preventing physical access is stage one. The number of IT and AV systems that don't employ the most basic layer 1 security—if a wall port isn't used, unplug it at the patchbay), lock switches away from public areas, etc.—is surprising.”
Access also can be based on an employee’s role in the client’s organisation.
“Within all of our central control systems, we have implemented a role-based access control stack that can either work standalone or pushed off to Active Directory,” says Harman’s Zielie. “I personally would like to see the entire AV industry out of the user name and password business because there are groups within any organisation that are good at that and that’s their job. We prefer that you just point it off to Active Directory. Then as an AV manufacturer, I don’t care if your password policy is a hundred characters changed every two days.”
Another access example involves the shootings earlier this year at Fort Lauderdale-Hollywood International Airport. Surveillance video was leaked to the press, but not because someone hacked into the network. Instead, authorities determined that it was recorded with a mobile phone pointed at a display by someone who had access to the surveillance feeds. So although using encryption and other tools to secure AV devices and networks is important, so is advising the client to restrict access to the rooms where those systems are operated.
An authentication example, meanwhile, is when a network port terminates at a switch port. Something else could be plugged in to create a back door.
“Isolators are insignificant in terms of AV installation costs, but they add a significant layer of protection missing in most rooms.”“Most enterprise switches come with an implementation of 802.1x,” Walsh says. “This can be used to control whether the switch port allows you to electrically connect to the network. The number of IT networks that implement this (it often comes as a feature of the switch hardware) is incredibly low, and less so in AV. Connecting via VPN with strong authentication and individual (revocable) certificates is one of a number of ways to keep the outside out of your network.”
Audinate’s Dante Domain Manager is an example of a tool that helps with access, authentication and auditing.
“Without login credentials, devices enrolled in a domain are invisible to anyone that is not a securely authenticated authorised user,” Walsh says. “A device cannot subscribe to audio from another device in a Dante network without being a member of the same domain. In practice, this would require an authorised and authenticated user to add the device.”
Using traditional IT tools and best practices
Firewalls are a common way to secure AV and IT systems. March Networks recommends using ones that also support deep packet inspection (DPI), which scrutinises each packet’s content. It also recommends choosing AV and IT products that provide the option of turning off unneeded features that could facilitate breaches. One example is the ability to disable Simple Network Monitoring Protocol (SNMP) services.
Vulnerabilities also vary by application. For example, conference rooms often are used by guests who bring their own laptops to present.
“The digital video channel (HDMI/DP/HDBaseT) includes a bi-directional data line used for info frames, EDID and HDCP,” says Keren Lipshitz, Kramer director of control and solutions. “This same data line can be used in any meeting room by a visitor device connected to the matrix switcher or the projector/display to infect the company PCs with viruses and penetrate the company's network.
“Common firewall protection does not apply on the video channel, leaving it exposed to hacking. IP phones and CC systems used in any meeting rooms are also exposed to hacking.”
Isolation is one strategy for mitigating such risks.
“Adding an isolator between the visitor device and the matrix switcher, projector and display guarantees unidirectional data flow from source to peripherals,” Lipshitz says. “This prevents eavesdropping and reduces the risk of hacking. Isolators are insignificant in terms of AV installation costs, but they add a significant layer of protection missing today in most rooms.”
Firewalls aren’t the only traditional IT solutions that can be used to protect AV. Another example is anti-malware software.
“Many displays include embedded computing/players that might be vulnerable to attacks,” says NEC’s Walter. “There are instances where integrated system on chips (SoCs) have been attacked, and the display content has been altered when corporates have temporarily lost control over their displays.
“We therefore recommend [taking] the same level of care that we apply to IT devices today. Open and modular computing performance such as OPS computers or Raspberry Pi computing allows the installation of the preferred anti-virus software that best suits the purpose or is widely used throughout the enterprise already.”