Wireless security: Preventing unauthorised access
A recent security flaw found across eight different wireless presentation systems could prove to be a watershed moment for the AV industry. Paul Milligan reports.
Security has always been important in the AV world. Manufacturers have always been fiercely protective of any trademarked technology leaking, and clients are just as protective of unauthorised access from rival firms keen on garnering trade secrets. Right now, security means fighting unauthorised hacks and cybercrime. Security across global networks is something the IT world has become accustomed to for decades now, and as the AV world is increasingly morphing in to the AV over IP world so too has the need for AV hardware and software to be secure across IP networks.
End user’s growing desire to move towards wireless technology, including the huge rise in wireless presentation devices such as Barco’s ClickShare and Crestron’s AirMedia, has further heightened the importance on security. None more so than during this summer when a report by cybersecurity firm Tenable was published highlighting 15 vulnerabilities across eight wireless presentation systems. The vulnerabilities included flaws that could be exploited to remotely hack devices. The companies involved included some of the biggest names in pro AV; Barco, Crestron and Extron. The security flaws were discovered by Tenable during analysis of Crestron’s AirMedia AM-100 and AM-101 products. However, it then became apparent that a host of other devices from other manufacturers shared the same code. The 15 security flaws found also impacted Barco WePresent, Extron ShareLink, InFocus LiteShow, TEQ AV IT WIPS710, SHARP PN-L703WA, Optoma WPS-Pro, Blackbox HD WPS. The code appears to have originated from AWIND and its WePresent product (WePresent was bought by Barco in 2012).
Jacob Baines, the writer of the original Tenable blog post outlining the flaw says he discovered Crestron had patched a backdoor in the AM-100 that had been previously found and patched in a Barco WePresent WiPG-1000. In his research Baines found this wasn’t an isolated problem and found more than over 100 different universities in North America had these devices exposed to the internet. Another issue Baines found was that even though some manufacturers had released firmware addressing these issues, the most up-to-date version of the Crestron patch (220.127.116.11) was only installed in less than 20% of AM-100 devices he scanned. “The AM-101 situation is even worse. Less than 18% have the most recent firmware,” said Baines. In his conclusion he said, “What have we seen here? A resold platform that has different levels of patching across different vendors. Slow patch deployment amongst the user base. Difficult to obtain firmware. Installations that expose the devices to the internet. And, finally, poor software development practices that left all the devices open to unauthenticated remote code execution.”
To find out their side of events, and what the legacy of this incident might be we spoke to three of biggest companies involved – Barco, Crestron and Extron. First of all, could they have responded quicker to the situation? “There's always a lesson to be learned,” says Rainer Stiehl, VP of marketing – Europe, Extron. “For us, one of the things that that we did, prior to this disclosure becoming public, was the development of our ShareLink Pro platform, which differs from the ShareLink 250 series identified in that article. We really took a different engineering approach to the Pro version of the product, and one of the benefits is better control over these types of situations.”
Time will tell whether this was an isolated incident or not, but speaking to Extron, Crestron and Barco, it’s clear all three took this situation very seriously. “We learned a lot from this, and from the changes in the cybersecurity world that have been happening since the release of the original AirMedia AM-100 product in 2013,” says John Pavlik, senior director system engineering, Crestron. “We now have a team of dedicated security researchers that devote their time to poking holes in our own products long before they reach the public. Besides our own security team, we have also engaged with outside researchers to further test our own testers.”
In the original Tenable blog one point made by Baines is that ‘poor software development practices left all the devices open to authenticated remote code execution’, but is that a fair claim? The blame for a lot of this situation is falling on the original AWIND code it seems, “In those days, security and security vulnerabilities and security testing was less mature, so those vulnerabilities were always there in that code base. This is code which was used in most cases in products that have reached end of life. So it was a legacy code base which was not actively maintained anymore,” says David Martens, product security architect, Barco. Was it ‘poor software development practices’ at work? “When you have developers who aren't part of your organisation, you lose a little bit of that control, and that was one of the big motivations for us to move to the introduction of the Pro Series,” says Stiehl.
This issue grew as the platform was resold to different vendors, so going forward would the companies involved be looking to create their own bespoke coding more often? Yes, says Stiehl, “When you're working with a third-party group, the timeliness of those resolutions becomes a challenge. That’s one of the reasons we brought a lot of engineering expertise in-house.”
Barco’s Martens makes the point that it’s quite common to reuse components from other companies, and its frequently done, the difference is the current climate we live in. “10 years ago we would perform some functional testing on source code base or a product or component that you wanted to integrate, we were not thinking about security. Today that's totally different. In those times there was a huge focus on functionality, but there was absolutely no focus on security. That's a lesson to be learnt, today if you integrate components from a third party company/partner, after functional testing, security is also a very important task to take on.”
Security is an issue of control says Stiehl; “We saw wireless presentation capabilities as a key technology that we needed to have in-house. We wanted to be able to have control over that technology, the same way that we do with things like our scaling technology, our AV over IP technology etc. As things change in the security landscape, we’re able to be more responsive.”
Security is the wider issue, but is it simply a case that wireless systems make issues like this much more likely than the old ‘cable running from box A to box b’ systems? That’s not the case says Pavlik, “It is important to note that while AirMedia enables wireless presentation systems, the vulnerabilities flagged aren’t specific to wireless technologies. In fact, the AM-100 and AM-101 do not support a direct wireless connection at all. The devices are wired into the customer’s network, but laptops and portable devices can connect wirelessly, through the customer’s network.”
The growing use of wireless presentation systems inevitably means they become more exposed says Martens. “The more popular they become, the more exposed they become, and the more visible they are to hackers. There's nothing wrong with that, but you must be aware of it.” The issue is not with a lack of cable, it’s with the internet at large adds Stiehl, “As soon as you post something on the network, it becomes a much larger threat.”
Is this issue something that we as users just have to accept is part of modern office life now? “The people who design a product are human, so they will make mistakes and errors,” says Martens. Instead, get as much information as you can to protect yourself, he adds; “If you are choosing a wireless presentation system you must at least verify who is the owner of the product, who created the product, and how they deal with security. Those are signs that the company who is creating the product is taking security seriously.”
Considering the effects can be hugely disruptive to your business, should we be asking manufacturers to be more vigilant in patching vulnerabilities? All three companies we spoke to now have teams in places to handle vulnerabilities and flaws; “We are working on two fronts: before we release a product, it is heavily tested by a team of dedicated security researchers. Once a product is released, everybody can easily report potential vulnerabilities that were overlooked through the form on our website dedicated to security,” says Pavlik. Security is a huge issue, but let’s not forget these are businesses we are talking about, and if sales are being hit, you can bet there will be a reaction. “We have a responsibility to deliver products that are secure. If we aren't the ones doing it, then the end user is going to demand secure products elsewhere, and we certainly don't want that to happen,” adds Stiehl.
One of the one of the issues raised by Tenable was slow patch deployment among the user base. We have talked about manufacturer’s responsibilities, but do end users (or IT teams at the client end) have to be more vigilant in making sure the latest versions are installed? “The end user in most cases is not even aware, and that’s a huge problem,” says Martens. “They buy a product that works and they never think of updating because it works like it should.”
Updating software fixes is something we should all better at says Stiehl; “I think the AV market trails the IT market a little bit in the sophistication of patch management. But I think that's something we're going to see within the AV side of things in the future, we will have more active patch management, whether that's something the IT groups layer over AV products or something that the AV vendors provide themselves.”
It’s clear a great responsibility lies with manufacturers on security issues, they sell you the product so at the very least it should work in a way that doesn’t leave your company’s security compromised. Speaking to the three big names involved here, it’s clear they take security seriously, they’d be crazy not to. They all now have security teams in place to hunt for flaws before the product is even released. If there is still a problem in software released out in to the market they have teams to fix the problems as quick as they can.
The ability for users to easily report issues is a key one here. Some products will be used in a way out in the field that the manufacturers will have never imagined. We do trail the IT world in fixing software problems, but only because they have had decades of experience of doing this, and security flaws are a far bigger problem in the IT world than in ours. Being concerned about security is a sensible way to go about life, but the numbers of issues in the AV world are quite small, as this final quote from Extron’s Stiehl highlights; “Look at the CVE (Common Vulnerabilities and Exposures) numbers. At the time of the disclosure, there were almost 4000 logged vulnerabilities in the CVE database. If 15 of those 4,000 vulnerabilities apply to the AV industry, then percentage- wise we're doing all right.”