Managing Security for Your Networked AV: Challenges and Opportunities
Streaming video over IP networks isn’t a new concept, but AV over IP systems have become commonplace only in the last few years. As with any networked system, networked AV poses certain security challenges.
Given concerns over hacking, cybercrime and the Internet of Things (IoT), fears that AV over IP poses insurmountable security risks are common — and overblown, according to HB Communications. Security concerns should be taken seriously, but proper management leads to a system that is at least as secure as hardwired AV.
What are the major security challenges for AV over IP systems? What opportunities do they present for integrators and organizations? We’ll cover some of the biggest questions here.
Challenge 1: Talking Security With Both AV and IT Teams
But when it comes to installing AV systems, IT’s No. 1 concern has often fallen by the wayside, according to Doug Hall, product manager of device control for Harman Professional Solutions.
“AV is an industry that started out separate from IT, and then it went through something that we, perhaps infamously, called ‘AV/IT convergence,’ Hall says. Despite living in a post-convergence world, however, AV professionals don’t always know which questions to ask, and IT professionals often respond to that lack of knowledge with silence. “Nobody wants to deal with an issue that they don’t understand, so the natural tendency is to avoid the subject altogether,” Hall says.
The result? “Security requirements for AV projects are often discovered at installation or even worse, on commissioning or later when the organization runs a security audit,” says Paul Zielie, Harman Professional Solutions manager of Enterprise Solutions.
Opportunity 1: Address Security Earlier and Build Security Literacy
AV integrators are increasingly preventing the late-realization problem by discussing security during the planning stages, according to Zielie. Both integrators and the organizations that hire them for AV over IP projects can also benefit from making basic security best practices part of their regular routine. These practices include:
- Changing default passwords
- Creating separate administrator and user accounts with separate privileges
- Enabling auditing logs and disabling unnecessary services
- Enabling encryption
In some cases, Zielie says, there’s simply no substitution for old-fashioned attentiveness. Describing one of the limitations of encrypting media streams using HDCP or equivalent, he says, “Even if the stream is encrypted or isolated on another network, the only protection you receive is from network eavesdropping. Anyone who is allowed to book a conference room could listen in to a meeting they are not authorized to attend.”
In other words, minding digital security means minding in-person security, too.
Challenge 2: The Internet of Things Raises Questions About the Security of Things
The Internet of Things describes the millions of devices that can connect to digital networks — everything from smartphones to fitness trackers to thermostats. When AV components like televisions or speakers are networked, these become part of the IoT, as well.
And there are a lot of Things. According to analysts at Gartner, the IoT will consist of more than 20 billion devices by 2020 — a number that does not include smartphones, PCs or tablets.
IoT security has been a major concern in recent years precisely because it wasn’t a concern in the early days of networked objects, according to Icon Labs. Companies learned the hard way from that early neglect that a networked object can become the weakest point in a system — and thus the easiest to hack.
Internet-connected televisions can contribute to the problem. As Gil Press notes at Forbes, Wikileaks’ recent release of CIA documents indicated that a networked TV can be repurposed for information-gathering purposes, even against the will of its user.
As long as AV components like TVs, projectors speakers, and microphones are attached to an IP network, they offer opportunities for hackers. But this same challenge also offers an opportunity.
Opportunity 2: Building Security Into the System
“Standard PC security solutions won’t solve the challenges of embedded devices,” Icon Labs says. “In fact, given the specialized nature of embedded systems, PC security solutions won’t even run on most embedded devices.” Instead, Icon Labs notes, IoT security must be carried out at the device level.
AV over IP, however, offers more than one opportunity for protecting data within the system. Options include:
- Device security. As both Icon Labs and Wendy Zamora at MalwareBytes Labs note, most IoT things don’t play well with traditional security tools. In order to remain secure, these devices need their own internal security solutions. Investing in AV system with devices that come with security embedded, however, is currently costly and limits the range of available options. Fortunately, less-secure devices can be connected to networks in other ways without creating vulnerabilities.
- Stream encryption. Tools like Zio’s AV over IP encryption focus on the streaming AV data itself, encrypting the stream so that even if it is intercepted during transit it’s inaccessible to the interceptor. Decryption tools on the receiving end ensure the stream can be presented to its rightful viewers or listeners without interruption.
- Encoder/decoder encryption. One way to address both the thing-level security gaps and stream encryption simultaneously is to build encryption tools into the video encoder/decoder points, Matrox points out. Since video signals often must be encoded for streaming (and decoded for viewing), a switch that encrypts as it encodes puts security at the device level — at the switch — while ensuring the stream is secure throughout transit.
As security becomes the next Internet of Things hot topic, security options for components and transmission alike will improve. However, organizations seeking to upgrade to secure AV over IP needn’t wait for these built-in tools to become commonplace. Instead, integrators can incorporate security measures using existing tools and protocols.
Challenge 3: BYOD Pokes Holes in Your Best-Laid Security Plans
Many organizations allow or even encourage Bring Your Own Device (BYOD) policies that allow users to connect their own laptop, tablet, or other device to a network for AV purposes. These policies make it easier for people to work anywhere, and they can save a company money by reducing its own expenditures on items like PCs and tablets.
They can also poke massive holes in a company’s AV security. To cite just one example, a video presentation streamed from an employee’s own laptop may not be encrypted, making it vulnerable to unauthorized viewers.
Opportunity 3: Teach Everyone How Security Matters
While AV integrators are not typically in the business of providing “how to mind your cybersecurity” seminars, they can pass along a few tips to clients — and implement these tips themselves.
Nathan Spell at Synergy CT recommends adopting the following policies as a baseline:
- Change default system, home and Wi-Fi passwords.
- Turn off Wi-Fi and Bluetooth when not in use (bonus: it can help save your battery, too).
- Use a reputable antivirus software and update it regularly.
- Don’t access public Wi-Fi points from personal devices.
In some situations, an organization may wish to make these points part of their requirements for using the BYOD privilege. In others, a ban on BYOD altogether may be the best way to protect sensitive information such as medical records or other data.
Challenge 4: ‘Everyone Knows’ How Online Security Works
Integrators who understand the security challenges of AV over IP can often have fruitful conversations with IT teams while preparing a project for a client. But talking to other client stakeholders can be a different story.
As Cristina Chipurici at Heimdal Security notes, myths about network security abound, and even the best-versed professionals can fall prey to them on occasion. Some of the most common misconceptions include:
- “Our business/network is too small and unimportant to interest hackers.”
- “We already have antivirus software/firewalls/another security measure, and it works fine.”
- “Our AV integrator’s recommended measures are too expensive, or just an attempt to upsell us something we don’t really need.”
- “We only access information from trusted sources, so we can’t get exploited.”
- “We will definitely know the moment something goes wrong.”
While these objections can be exasperating, they also reveal a key opportunity for integrators.
Opportunity 4: Truly Secure Systems Don’t Change With Opinions
If stakeholders in a project raise misconception-based reservations about a project, integrators have an opportunity not only to educate but to find better ways to build strong defenses into AV over IP projects.
For instance, in its own list of common network security myths, SynergyCT recommends bringing various truths to the fore:
- “We’re too small/we only use trusted sources”: Exploiters count on most people thinking they’re safe because they’re obscure. In fact, it’s the “too small” folks who make the best targets precisely because they believe they’re safe.
- “Our existing security works fine”: Recruiting the help of the IT department to debunk this myth can help. IT staff know there is no magic bullet for network security, and they have the background to interpret exactly how AV security will address specific weak points.
- “It’s too expensive/you’re trying to upsell us”: As integrators know, expense isn’t the toughest part of a AV security. It’s recognizing what needs to be done in time to do it most efficiently. A comparison of the costs of encryption versus the costs of a breach can easily correct this misconception.
- “We’ll know the moment something goes wrong”: Often, hackers exploit weaknesses not to mess with the tech’s owner, but to hijack processing speed or other features of the network for their own purposes. These parasites often don’t show symptoms — but just like parasites in the animal world, they leave the host vulnerable to any number of other invaders.
The more integrators know about network security concerns specific to AV, the more effectively they can propose and implement AV over IP projects that provide strong defenses as well as top-notch functionality. Likewise, organizations that understand the basics of AV over IP network security equip themselves with the knowledge to choose an integrator who is well-versed in the topic.
Images by: stevanovicigor/©123RF Stock Photo, jamesteohart/©123RF Stock Photo, dotshock/©123RF Stock Photo