IoT Is a Potential Hacker-Fest

Everyone, everywhere is talking about the so-called Internet of Things (IoT). And, every tech company is trying to find a way to claim their products are part of IoT, too. And, most of it is hype. Pure hype.

But, some of the companies that do have IoT things are being stupid. Why?

Security.

The Internet of Things is a hacker-fest.

Got an Amazon Dot in your home allowing you to instantly order something? It’s a hacker’s gateway without a lock. Adding digital signage to your campus — most digital media (yes, most) are a golden ticket for hackers. And, what about cloud-based control of AV gear? Hmmm, you be the judge.

The importance of security cannot be overstated — and it cannot be ignored. No one did a better job explaining this giant risk than rAVe Columnist, Raymond Kent, earlier this year with his The Risks of IoT column. If you haven’t read it, go. And just last month, rAVe BlogSquad member Mark Coxon added this piece on the Art of Hacking AV Systems, detailing what happened at the recent DEFCON Hacking Conference.

So, how much research are you doing when you spec that AV product you’re connecting to the internet – to the network? Are you assuming, like most of us are, that the manufacturer making the product is dealing with it security in a way that makes their IoT device not a hacker-fest party? Or, are you taking responsibility for say product and dealing with security on your own?

As we move closer and closer to all-IP all-the-time, we need to get educated — realize that we are also responsible for what we install and get educated on network security.

As a primer, you should consider three factors with the device you are connecting to the IT network — remember, you, as an integrator of the system, are responsible for its security in many cases — or, at the very least, may be responsible for what it can and can’t do:

1. Is the device 802.1x certified? From Wikipedia: “802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wants to attach to the LAN/WLAN. The term ‘supplicant’ is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point; and the authentication server is typically a host running software supporting the RADIUS and EAP protocols. In some cases, the authentication server software may be running on the authenticator hardware. The authenticator acts like a security guard to a protected network.”

See also  Security Through Light: The World's First Quantum Secured Video Conference

2. Is the device you are connecting capable of Active Directory (AD)? From Wikipedia: “Active Directory is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. Starting with Windows Server 2008, however, Active Directory became an umbrella title for a broad range of directory-based identity-related services. A server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user. Also, it allows management and storage of information, provides authentication and authorization mechanisms, and establishes a framework to deploy other related services: Certificate Services, Active_Directory_Federation_Services, Lightweight Directory Services and Rights Management Services.”

3. Is the drive SRTP certified? From Wikipedia: “The Secure Real-time Transport Protocol (SRTP) is a Real-time Transport Protocol (RTP) profile, intended to provide encryption, message authentication and integrity, and replay attack protection to the RTP data in both unicast and multicast applications. It was developed by a small team of Internet Protocol and cryptographic experts from Cisco and Ericsson. It was first published by the IETF in March 2004 as RFC 3711. Since RTP is closely related to RTP Control Protocol (RTCP) which can be used to control the RTP session, SRTP also has a sister protocol, called Secure RTCP (SRTCP); SRTCP securely provides the same features to RTCP, as the ones provided by SRTP to RTP. SRTP and SRTCP use Advanced Encryption Standard (AES) as the default cipher. There are two cipher modes defined which allow the AES block cipher to be used as a stream cipher.”

Like I mentioned earlier, as we move towards moving everything across the IT network with the impending AV-over-IP movement, we need to get educated on where our devices are at risk.

Gary Kayye

About Gary Kayye

Gary Kayye, founder of rAVe Publications, is one of the most prominent personalities in the audiovisual industry. He has been a contributor to WIRED magazine and a technical advisor and columnist for Sound & Communications magazine as well as an opinionated columnist for rAVe [Publications] since 2003. In addition to his writing and market analysis, Gary has been a product, marketing and business operations consultant to dozens of AV companies in the U.S. and overseas. Clients have included companies such as Sony, Sharp, Epson, Lutron, InFocus, Sanyo, Mitsubishi, NEC and Philips.   Gary, who has been involved with the audiovisual market for over 20 years, was the recipient of the InfoComm 2003 Educator of the Year Award and the 2007 NSCA Instructor of the Year Award. Over the years, he has donated much of his time as an active volunteer in the AV industry’s trade association and served as chairman of InfoComm’s Professional Education & Training Committee (PETC), chairman of the ICIA Design School Committee and chairman of InfoComm’s Installation School Committee. In addition, he has served on the InfoComm board of governors. He also helped grow the InfoComm Projection Shoot-Out as the premiere AV industry trade show special event serving on the committee from 1991 through 1997, and was instrumental in launching the Shoot-Out in the European market at the Photokina Expo in 1994 and 1996 as well as the Asian market at the 1995 and 1997 INFOCOMM Asia shows.   Prior to founding his own company, Gary was vice president of sales and marketing for AMX Corporation (www.amx.com), a manufacturer specializing in professional AV and residential AV control systems. Prior to AMX, Gary spent nine years at Extron Electronics (www.extron.com), rising to the position of vice president of sales and marketing. Gary earned his bachelor’s degree in journalism in 1987 from the University of North Carolina and is currently Adjunct Faculty at UNC in the School of Journalism teaching a class on how future technologies will affect the future of advertising, PR and marketing.   He is also the founder of Swim for Smiles, a non-profit that raises money for the N.C. Children’s Hospital through swimming and other fitness-related events for kids. You can contact him at gary@ravepubs.com..

  • Thanks for this important post.
    So much has already been said and so little has changed. Need any proof?
    Most people (including me!) expected that the findings presented during DEFCON would send shock waves through the industry. Manufacturers getting into full steam by showing how great their security is, installers frantically looking for security training for their staff and last but for sure not least the endusers aka tech managers starting serious security analysis, hiring consultants to go through their systems, adjusting their product short list by including security features, advancing replacement of old and insecure installs, etc.
    And what happend? Almost nothing if you ask me! This is simply a sign, that this very industry seems to wait for even bigger disasters to happen.
    Sorry for sounding negative, but what on earth has to happen, to make people getting into gear?
    However, related industries like building automation are not any better, so we dont have to feel alone in ignoring security.

  • Dpwolf

    This is something I work through nearly every day. As an innovator for a tech company that is a bank security is one of my top priorities. However user experience is also my top priority. The advantages of room technology with an IOT strategy take the experience to the level my customers now expect. There is a HUGE opportunity in the AV industry for vendors to provide easy access to product development and security SMEs to customers to develop the necessary processes and documentation to streamline the intake and approval time of connecting devices securely to the network with hardening standards and risk mitigation processes. The age of “JITIC approved black boxes” is over. The areas of improvement I’ve come across are:
    1. Transparency – documenting all the traffic patterns, operating systems, configurable settings is well over due.
    2. To your point of access and authentication. make products that leverage enterprise IT access controls and with layers of access for admins, managers, users, and API consumers while shutting down local credentials
    3. Do not depend on nonsecure protocols like http, telnet, ftp and add the S to all of them by default.
    4. “encryption” of all data, and OS, at rest and in motion.
    5. make devices work with web proxy “duh”
    6. vendors need to buy and scan devices with the tools enterprises use before any release is GA
    7. central asset monitoring with inventory software version reporting
    8. Encrypt everything including OS memory/storage, data in motion and at rest
    9. Vulnerability risk assessments and security notifications are published and emailed to support teams
    10. provide the ability to lock down USB an other media slots/ports to prevent intrusion
    11. provide the ability to use enterprise certificate authorities and web certs
    12. provide the ability to implement custom security banners where users login web, ssh, etc.

    Non security related
    1. Products should have authenticated rest API not just traditional “AV API” or serial control
    2. Don’t cache DNS but honor DNS TTL
    3. Applications should leverage load balancing or similar traffic management tools to redirect traffic as needed to ensure 99% uptime