The Art of Hacking AV Systems

There are quite a few conferences that focus on AV equipment. On the consumer side, there is CES, on the broadcast side there is NAB, then for residential AV there is CEDIA Expo and for commercial AV, we have InfoComm.

The latest conference to focus on AV equipment, however, happened Friday, August 10th. The conference? DEFCON. The focus? Hacking AV systems, specifically the leading control system manufacturer, Crestron.

What is DEFCON? “Started in 1992 by the Dark Tangent, DEFCON is the world’s longest running and largest underground hacking conference.” It is attended by hackers and IT professionals wanting to learn about potential vulnerabilities in their companies’ systems.

One of the tracks this year was entitled “Who Controls the Controllers—Hacking Crestron IoT Automation Systems” and was taught by Ricky “HeadlessZeke” Lawshae, a security researcher at Trend Micro.  

Lawshae gleefully describes his track like this:

“In this talk, I will take a look at different Crestron devices from a security perspective and discuss the many vulnerabilities and opportunities for fun to be found within. I will demonstrate both documented and undocumented features that can be used to achieve full system compromise and show the need to make securing these systems a priority, instead of an afterthought, in every deployment. In short, hijinx will ensue.”

Lawshae explains that he chose Crestron specifically because of their prominence in the industry. His talk made quite a splash immediately, as on Friday, another publication, Wired, interviewed Lawshae and that interview inspired their own article, “Hackable Touchscreens Could Spy on Hotel Rooms and Meetings.”

Now Lawshae’s talk didn’t include all things Crestron, as it focused specifically on Crestron’s MC3 control system, which runs on Windows, and the company’s TSW-X60 touchscreen panel, which runs on Android. If you want to read the specifics of the more than two dozen vulnerabilities that Lawshae found in these products, the Wired post does a great job of laying some of them out in detail. To paraphrase though, the vulnerabilities allow hackers to turn devices into surveillance devices and even the algorithms used for backdoor passwords are easily defeated by seasoned hackers.

Crestron stated that they have released a patch to address many of these issues as well. Wired included this statement from Crestron:

“Crestron has issued a fix for the vulnerabilities and firmware updates are now available. The updates are mandatory, according to Nick Milani, Crestron’s executive director of commercial product marketing. ‘We know of no adverse affects [sic] as a result of [the vulnerabilities],’ says Milani. ‘We responded very quickly.'”

Unfortunately, Crestron’s market position still made them a relevant target for this hacking convention, and to be completely fair, they aren’t the first or only AV control manufacturer to be identified as a potential hacking threat nor are they the only control system to present these same type of vulnerabilities.

You may remember that two years ago AMX made similar news in ARS Technica. If you want to refresh your memory, check out their piece, “Media Devices Sold to Feds have Hidden Backdoor with Sniffing Functions.” In short, that piece focused on the NX-1200 and also exposed a backdoor and a suspect password selection strategy that included passwords like Black Widow and 1MB@tMaN.

See also  Security: Start from the Beginning

“‘Someone with knowledge of the backdoor could completely reconfigure and take over the device and due to the highest privileges also start sniffing attacks within the network segment,’ SEC Consult researcher Johannes Greil told ARS.”

AMX also commented quickly on the article in 2016 stating that:

“‘While such [logins are] useful for diagnostics and maintenance, during our routine security review in the summer of 2015, we determined that it would be prudent to eliminate this feature as part of a comprehensive software update. We informed our customers and the update was deployed in December 2015.'”

AV convergence is something we have talked about for years; however, as the larger IoT landscape grows, the public awareness of networked devices makes hacking them a more and more attractive prospect. This means that now more than ever, AV manufacturers have to be diligent in securing their products, their products’ audio video transmissions, and their connected devices’ cameras and microphones.

My sister-in-law works for a major tech company in Silicon Valley as an IP attorney. Five years ago some of the senior counsel in her group left to go to another tech giant to head up the newly formed Data Privacy legal team. However, the need for increased awareness and due diligence in networked device security isn’t limited to the Silicon Valley giants or the top control system manufacturers in AV. It filters down to all of our installed and networked devices.

Every manufacturer and integrator needs to understand and properly communicate and navigate these issues lest they become the topic of a future DEFCON style course, or worse yet, a targeted malicious attack.

One of my friends, AV consultant Josh Srago, worked for Teecom where he and his team created a network security questionnaire that they would send manufacturers ahead of meetings with them. They used the answers to the questions to properly assess whether a manufacturer’s products were ready for deployment on a secure enterprise network. The document is made up of eight multi-part questions that take up two pages, and according to Josh, they just cover the baseline concerns.  “They don’t even start to cover the potential root or backdoor concerns,” he said. His interest in this topic even inspired him to apply to law school to pursue a legal degree with a certificate in Tech and another one in Privacy. He was accepted and actually starts that adventure next week.

The long and short is that AV is becoming visible in the IT space, and in a similar vein to how virus creators eventually started to write viruses for mobile OS as they became more prevalent, the increased visibility is indeed a double-edged sword. AV companies need to be ever vigilant about their security protocols and should be looking to hire or train individuals on tech and privacy law in order to properly assess their vulnerabilities and their liabilities.

In doing so, we will continue to be valuable partners to our clients, but if we fail to take these threats seriously, the continued march of “not on my network” may just marginalize our industry.