Why Are We Not Talking About Digital Signage Security?
By Viktor Petersson
Over the last few years, we have seen many cases of digital signage players being hacked for fun, profit and even propaganda.
- Hardcore porn shown on hacked billboard in Malmö
- Cyberattack claims multiple airports in Vietnam
- Hacked digital signage displays porn in Union Station
- Hijacking the Outdoor Digital Billboard – By Defcon 16 hacking panel
Since the whole point of digital signage is that the digital displays are highly visible to onlookers, digital signage makes an attractive target. Why, then, is it that people are not talking about how to properly secure digital signage devices? After all, in my opinion, digital signage really falls under the IoT category, where people are finally starting to talk about security.
I only entered the digital signage industry a few years ago when we released Screenly in 2013 (frankly, it was somewhat of an accident that we ended up in the industry, but that’s a different story). Prior to Screenly, I spent many years in the software industry. From what I’ve experienced thus far, this is a rather rare background. Many, if not most, digital signage vendors sprung out of either an ad agency or from the AV world.
Now, you may ask yourself, what does this story have to do with security? A lot, I would argue.
Security is one of those invisible things. Most people don’t think about it until something bad happens. By then, it’s often too late. Security needs to be planned from the start. Moreover, what makes digital signage somewhat special is that it falls in a somewhat gray area between IT, marketing and, in some cases, the AV department. These different departments have very different concerns. Depending on the power structure in the organization, one department may have more say over the other over what solutions get implemented.
The digital signage companies that sprung out of ad agencies are great at selling to the marketing side of an organization. They speak the same language. The same is true for the companies spun out of the AV world for the AV departments. For these departments, security is just a mundane detail.
For the IT department, security is a primary concern. However, when the budget needs to be tightened, these invisible things are often the ones that get deprioritized. What makes things even more complicated is that many organizations are still debating if they should run everything in-house on their own infrastructure or use a cloud service. The security models for these scenarios are very different, but it’s clear that the whole IT industry is moving towards the cloud (even if some regions and verticals are slower to embrace this than others).
With that out of the way, let’s talk about what security in digital signage actually means. To narrow down the scope of our discussion, I will focus mostly on the actual players rather than the back-end.
Define your “threat model”
Perhaps the most important thing to do is to define the threat model. What this really tasks you with is answering the following questions: Who are you protecting yourself against? Are you mostly worried about a bored teenager taking over your screens “for the lulz” (i.e., for fun), or are you worried about a more sophisticated attacker (such as an organized crime ring) holding your screens hostage for a ransom? It is important to note that sophisticated attackers can even use your digital signage infrastructure as a stepping-stone to the rest of the company’s infrastructure and data (much like how a smart fish tank was used to compromise a casino). Some organizations might even include state-sponsored attackers as part of their threat model, in which case things gets a lot more complicated.
Below, I will outline some thoughts on what to think about for the first two threat models, meaning (1) the bored teenager threat model and (2) the more sophisticated attacker threat model. I will not cover how to protect yourself against a state-sponsored attacker, as that’s far more complicated than what can be covered here.
Before we begin, there’s a saying in the security world: Physical access means game over. What this means is that if an attacker can gain physical access to a device/server/workstation/digital signage player, all bets are off. Sure, you can take steps to make it more challenging (such as gluing the USB ports, removing debug pins on the board, etc.), but, given enough time, a skilled attacker will find a way in. But this is not the most likely threat: internet-connected devices present an attack surface to the world. What you should be most worried about is remote attack vectors.
Take sensible precautions by either locking your digital signage players into a box or putting them in a hard-to-access location. Any sensible digital signage solution should be secure enough to protect against a rogue staff member walking up to the digital signage player and plugging in a USB keyboard and mouse.
Threat model: the bored teenager
Here’s a basic checklist. It is by no means complete, but it’s a starting point. If your digital signage vendor fails any of the below criteria, you should really just forget them. Their solution is likely to put your business at risk, and the company shouldn’t be taken seriously.
- Is the operating system receiving security updates? For instance, if your digital signage players are Windows based and are using anything older than Windows 10, you’re out of luck since Microsoft deemed these versions “end-of-life.”
- Are your devices receiving updates in a timely fashion (or at all)? If your devices are not receiving updates “over-the-air” (i.e., automatically), do you patch your devices in a timely fashion?
- Are the devices properly locked down? Meaning, are there open ports (like VNC/TeamViewer/SSH/internal services) that could be exploited remotely? Some of these are more secure than others, but ideally your devices do not have any open ports at all.
- Are there default credentials on the devices? It isn’t all that rare that vendors pre-program user accounts to simplify troubleshooting. Well, guess what, that also makes it easier for an attacker to exploit your device.
- Is all communication encrypted? It’s 2018. There is really no reason to not encrypt all communication between the client and the back-end (with validation). This also makes it a lot more challenging for an attacker to hijack the device.
What you should really know about these type of attackers is that, generally speaking, they are either curious or just bored. It should also be said that the chances are that you’re just collateral damage to another attack. For instance, consider a company that’s running a digital signage player that is connected to the internet with 4G and that hasn’t been patched with the latest security updates. For this company, there’s a reasonable chance that a teenager,armed with software such as Metasploit, discovers the company’s devices accidentally. After breaching these devices, this teenager will discover your company’s device is a digital signage device and this teenager will start playing tricks on you.
Also, with modern tools such as masscan, it’s possible to scan the entire public internet for vulnerable devices in under five minutes. If you’re not taking security seriously for even this threat model, the odds are not in your favor.
Threat model: a crime ring
When you’re protecting yourself against a more sophisticated attacker, you still need to check off all of the items for the lower threat model. However, protecting yourself against an attacker like this can be challenging. Unless you have a very high profile or very large deployment, it’s likely that your digital signage network is just a tool to get to other more juicy targets.
If this is your threat model, you really should have a longer conversation with a security consultant, but here are some basics:
- Isolate your digital signage players on a dedicated network (e.g., VLAN) that can’t access the rest of your infrastructure and can only access the digital-signage back-end. Please note that just putting your devices on a dedicated network that is shielded off from the world is and then ignoring all update is not a strategy regardless of threat model. I’m frankly surprised how often I’ve heard this “security approach” from vendors and potential clients.
- Consider disabling things like Bluetooth, which has been used as an attack vector in the past.
- Make sure your devices are patched as soon as a vulnerability is announced. Your vendor should be able to point you to these “CVE” mailing lists. That said, sophisticated attackers often use “zero day” attacks. This references to vulnerabilities that are yet to be fixed by the vendors. These exploits are often traded on hacker forum, making them very hard to protect against.
- Deploy a proper Intrusion Detection System (IDS) and Deep Package Inspection (DPI) in your network infrastructure to ensure that you can proactively probe for unusual traffic patterns.
- Make sure that all firmware updates are cryptographically signed by the vendor. If not, it’s possible for an attacker to compromise an update and sneak in a backdoor.
Security is hard, and it won’t win you any awards for having the shiniest digital signage installation. However, it can save you from a PR disaster or worse. It’s time that we start talking about digital signage security beyond just using it as a buzzword. For us at Screenly, security is important, and we’re transparent about what precautions we take. Moreover, we’ve partnered with Ubuntu to ensure that all of our devices are secured and patched quickly and in an automated fashion.
Want to talk security? Get in touch with us at screenly.io, and if you’re interested in what we have done to secure our players, check out our blog post Screenly 2 Player under the spotlight – Part 1 – The operating system and security where we share lots of details about the inner workings of Screenly’s digital signage player.