AV Security: “If it’s online, it’s at risk”
How to keep your AV equipment and network safe?
As a lot of audio and video equipment is now networked for either content delivery/transport or remote control/administration, if a piece of equipment has an internet connection it becomes a ‘thing’ on the internet, aka Internet of Things (IoT).
Consumers should look at vendors’ and installers’ security credentials. For permanent and major installations, projects and businesses should consider risk assessments driven by threat models – how well do we actually realise what could happen?
The long-term, sustainable solution would be for the AV equipment manufacturers to keep a keen eye on software security – design with the “internet threat scenarios” in mind, do appropriate testing etc. Increase the software quality and there will be less security issues as a side effect.
1. Study the ecosystem when selecting gear; different vendors might have varying cultures in security, different attitudes and mechanisms for patching or releasing new software versions. Are there a lot of regular firmware updates for a piece of gear? That might be more likely to indicate a good and timely patching culture than an inferior system.
Pro audio has now, for example, digital mixers, which are remotely controlled from a tablet, often with WiFi as the transport. Here, all traditional WiFi security tips apply for building the control networks – for example avoidance of use of default passwords in networking gear, shared credentials, unencrypted traffic.
2. Network design: because the gear is networked, you need sufficiently good network design. Defence in depth requires enough segregation so that remote control and content delivery are in their own segments, quite apart from normal internet access or office traffic. In an AV network there can be all kinds of devices, such as digital signage and audio players, many of these with a general purpose computer controlling the operation. When cracked, these can be a platform for a Bot – a springboard for getting further into the network and a platform to execute arbitrary code, code which could be used to take control of digital signage or even to mine Bitcoin, sapping performance from your devices or even code to allow an attacker to take control. If networking is kind of a “new feature” for a piece of AV gear, how much threat modeling has the manufacturer done? What kind of assessments have been run against the device? How much security risk is residual in the device? Does the vendor have a security initiative in place?
3. Denial of Service attack (DoS): If content delivery is based on IP networks, could attackers DoS the broadcast by fuzzing some part of the associated technology stack? – A DoS attack would have a similar effect to a radio jammer. Can you block emergency/crisis communication? Announcements during huge public events? Can you alter the feed, replace content with your own? Launch alarms at a stadium? DoS the security cameras blind when breaking and entering? Kill point-of-sale – devices and credit card terminals at a big event?
4. Networked mic and camera equipment: If Jim the janitor inserts a network sniffer/recorder in the RJ-45 socket in a closet or if a malicious actor can get onto the shared WiFi network, does he get inside information directly from cameras and mics? Think of how much the EVS operator sees that is confidential during an OB – e.g. royalty or heads of state clandestine conversations while mic’d up. That could be very interesting content for an eavesdropper.
The idea of a digital music file embedded with something triggering a vulnerability, and then executing arbitrary code, was coined in the automotive industry, but could also be done in networked AV systems.
5. The moral: the inputs to any software can be dangerous, and this software should be tested for its robustness at the factory. A lot of traditional network security advice applies also for AV-related networks. Change default passwords, learn how to patch your systems and devices and design properly (segregation, firewalling, ACLs).