28.07.17

Tips for securing AV systems from Kramer

High Angle View Of Businesspeople Working On Electronic Devices At Wooden Desk

Tim Kridel asks Keren Lipshitz, director of control & solutions at Kramer how security threats to enterprise AV systems can be minimised.

TK: In your experience, what are the top vulnerabilities in today’s enterprise AV systems? 


KL: Meeting rooms host a mix of corporate-owned and guest devices, and today as AV systems are being integrated into the IT infrastructure, HDMI connections must be secured to protect the corporate network. The digital video channel (HDMI/DP/HDBaseT) includes a bi-directional data line used for info frames, EDID and HDCP. This same data line can be used in any meeting room by a visitor device connected to the matrix switcher or the projector/display to infect the company PCs with viruses and penetrate the company's network. Common firewall protection does not apply on the video channel, leaving it exposed to hacking. IP phones and CC systems used in any meeting rooms are also exposed to hacking. 

TK: What are some tips and best practices for minimizing those vulnerabilities? 


KL: It is highly recommended to add isolation and tempering to existing systems to eliminate threats. Adding an isolator between the visitor device and the matrix switcher, projector and display guarantees unidirectional data flow from source to peripherals. This prevents eavesdropping and reduces the risk of hacking. Isolators are insignificant in terms of AV installation costs, but they add a significant layer of protection missing today in most rooms.

TK: There are a lot of government standards, best practices, certifications, etc. (e.g., JITC) that can be used to help secure AV systems. Does it ever make sense to use some of those for non-government clients that have really high security requirements, such as banks and healthcare?


KL: Yes. Scrutiny in the financial sector in particular is becoming more demanding as networks are more complex and security threats more prevalent. There are many cases where analysts and traders need to work simultaneously with multiple computers each of which has a different security level. Regulators, customers, investors, and media pressure financial companies to ensure that their systems and data are appropriately protected. The challenge is twofold: to create a user-friendly environment for multi-display, application-intensive trading floors while complying with the most rigorous security standards. Today, that means preventing hackers from surpassing existing network security by exploiting AV peripherals connected to the IT network.

The most common standard for AV and data is the Protection Profile designed by NIAP and adopted by most governments and defence bodies around the world. The Protection Profile defines threats financial institutions face such as hackers trying to penetrate the network by accessing bi-directional channels to plant viruses and recording and transmitting devices inside switchers. These actions enable hackers to record user names and passwords and connect easily to the network. A secured single keyboard/mouse setup for multiple isolated computers and secured video switchers at the user desktop application level can prevent both data leakage and hacking. This can be done while offering a user-friendly and seamless experience for users who are working with multiple isolated computers.

Read about potential security concerns for AV in Tim Kridel’s article 'Security holes and how to avoid a fall'.

Learn more from Audinate on top vulnerabilities in today’s AV systems in an article from the company’s Kieran Walsh: Shoring up security in enterprise AV