Three Ways Network Security Can Protect AV Systems

A secure network requires both audiovisual and information technology to operate as one.
Three Ways Network Security Can Protect AV Systems
Like

Any device visible on the network is at risk of cyberattack, including audio/visual technology, which is why certified audio/visual integrators should be consulted. An AV system manufactured by a reputable brand and installed by an experienced integrator will offer a degree of security against intrusion, but there is still room for improvement. An experienced AV integrator is essential for your organization because they are familiar with the methods hackers use to attack AV technology. Although calling an expert in this area is essential when setting up an AV system for maximum security, it is your IT personnel and AV partner who will be responsible for maintaining the system's security.

Intruders target AV equipment for many reasons, but the most insidious of them is infiltrating other network devices, exposing employees' personal records and company financial information.  Once hackers and intruders are inside AV technology, what can they do? For starters:

  • Join conferencing sessions, including video conferencing, discreetly and anonymously
  • Listen in on people by starting a conferencing session while the system is inactive.
  • Configure the system so that other features and components become visible or vulnerable. 
  • Exploit a weakness in the network's security to gain access to other network devices and systems.

While that list should alarm any network administrator, it barely scratches the surface of what damage can be done once an attacker is inside.

Network security plays a crucial role in preventing attacks. Since today's AV systems are rapidly merging with organizations' networks, all due consideration must be given by IT departments when implementing security plans. AV technology cannot exist as an isolated entity - it must be integrated into the organization's broader network security protocol, or it may soon be compromised.

The following methods can be used to strengthen AV equipment and the network on which it depends:

 1. Before any AV technology is integrated into the space, a plan must be developed for physically securing it when not in use.   Attacks can originate from within as well as from exposed components, so it is a good idea to lock away any non-operational components behind secured doors and inside secure cabinets as the first line of defense.

2. AV performance should always be monitored. For years, IT has relied on monitoring software to ensure their devices are functioning properly.   System performance changes like unexpected surges in activity may be signs of something malicious.  

3. Professional IT teams have a wealth of security tools and techniques at their disposal to safeguard AV systems from external intrusions. For example, systems can be protected behind a firewall, rely on in-system programming, or be connected to a virtual local area network. It is also important to take into account the operating system of a network since the most common ones are the most susceptible to malicious programming.  

A secure network requires both audiovisual and information technology to operate as one, even though they were developed independently. In order to ensure that your AV system is as secure as possible, you will need the advice of a certified audio/visual integrator as well as your IT department.  

Please sign in

If you are a registered user on AVIXA Xchange, please sign in

Go to the profile of Aaron Weiler
3 months ago

This brought up a super interesting point that I had never thought of before which is this: 

  • Join conferencing sessions, including video conferencing, discreetly and anonymously

Now, the concept here is pretty easy to grasp but I think it can be overlooked. What I mean is; most of the time IT security focused individuals are focused on preventing  bad actors from entering the network and gathering traditional data. From my experience there has been a focus on what you could call a "live listen" or "live view" almost like looking through a peephole to gather real-time data. What I find even MORE interesting is what you could gain from doing this. As in, often times folks are what I would call "disarmed" in those situations. For instance, you are more likely to share and say things that you wouldn't normally do if you knew those communications were being recorded and stored (which I would assume they are normally not always). So, the information you could gather and record on your own as a bad actor would pay off BIG TIME. I'm curious if anyone has ever had a breach of this nature because that would be a super interesting case study. 

Go to the profile of Jamie Horner
3 months ago

I agree @Aaron Weiler , this article touches on a "new" security challenge, which is unique to AV/communications systems. The challenge of maintaining and ensuring the confidentiality of the media (audio and video) delivered across the network. AV systems are deployed to aid in communication in corporate settings, and the nature of many of those communications can be confidential in nature. Therefore, the AV system has a big responsibility to ensure that confidentiality is maintained. Media as an example that is not encrypted would make it easily accessible for someone to "listen" in. However, even media that is protected over the network could still be susceptible to eavesdropping if the media was routed to an authorized receiver on the network, but in the wrong location. Network security is a very important aspect of any AV deployment where confidential media is being delivered via the network.

Go to the profile of Aaron Weiler
3 months ago

This is exactly what I was thinking too @Jamie Horner ! As an example, I wonder if microphone companies have even considered such a concept. Since they aren't typically the ones storing the information or even hosting it.  It's almost like a game of "who is culpable?"  in a way. So, if I am a microphone manufacturer, am I responsible for making sure that my product isn't being used against the end-user? Should I be using techniques to ensure safety before it even gets downstream to the folks using the product? I Feel like there a lot of steps before this situation even gets to the network. But for some reason, when it actually gets to that point, its 100% the networks responsibility to make sure it's secure. To me, it's almost like just dumping products on the network with no recourse... 

Go to the profile of Jamie Horner
3 months ago

@Aaron Weiler culpability, that is a great (scary) question for sure. The example you gave is a great one, but let's say that the company is simply only adopting a given "industry" standard for delivering the audio over the network, and therefore they did not develop "how" it is done or how securely themselves. Does that therefore mean we look to "standards" themselves and consider which ones offer the most sound (excuse the pun) security as a larger influence on product selection? If brand X does it one way and brand Y another, security may be the reason one is chosen over the other. And if that happens security should improve as it becomes a bigger factor in the win/loss column for a manufacturer. A very interesting subject (can of worms) for sure!

Go to the profile of Aaron Weiler
3 months ago

@Jamie Horner Can of worms is the best way to describe that! AV buying decisions based largely in part on security is, to me at least, an entirely different school of thought altogether. Can you imagine a wireless microphone having WPA-PSK? :) 

Go to the profile of Paul Konikowski
3 months ago

Great discussion, @Jamie Horner and @Aaron Weiler. I am little late to the party, but I brought refreshments.

We all know that network security is only one part of cybersecurity. The other parts include the hardware that lives on the network, the firmware/software that runs on the hardware, the dependent packages that make up the software, not to mention mobile devices like cell phones, and your vehicle or headset if you are tethering your phone via Bluetooth. Plus all the humans involved! AV always starts and ends with humans.  If you forget to mute your microphone before you say something confidential, is that the network admin's fault? No, but it may be a breach of security, privacy and/or compliance.

Security, privacy, and compliance need to be part of everyone's job.  The biggest problem in AV Land is everyone is focused on getting things working so they can sell and install them faster.  A product or protocol that gives little headache is considered favorable. Ever heard the terms, "plug and play" or "plug and pray"?  News flash: God is not going to configure your device to be secure on the network!

I never forget the first time an AV sales rep showed me how easy it was to pull up the unprotected webpage of the DSP device he was pitching; how I could listen to any stream locally on my computer, with no password needed. That was a "feature" he was touting, but in my eyes, it was a clear vulnerability.  Add in the fact that there was no record or log of who was using the product's website or when they were listening...

So, in this case, is it this the rep's fault for showcasing this feature/vuln?  Is it the product manufacturer's responsibility to NOT include those features?  Is it the AV consultant or integrator's job to only choose safe and secure products?  Is it up to the client to verify?  Or do we keep doing what most AV integrators keep doing and put it all on the network security folks? 

The answer is all of the above.  Cybersecurity is everyone's responsibility, end to end. 

Go to the profile of Aaron Weiler
3 months ago

@Paul Konikowski the short answer to all your questions is; YES! :) no, but seriously, its almost a "chicken before the egg" conversation. I will point the finger a bit at manufacturers of AV equipment when it comes to this concept though. While I do think that security is everyone's responsibility, I also think that it starts with the vendor. Vendors are more than just hardware or software these days, they are often both - and without proper interop testing for compatibility and vulnerabilities, it's a tough sell to anyone downstream. So I guess perhaps its on the AV teams to push back against those vendors that aren't forthcoming with that information. After all, those vendors are running a business of selling devices/software, they should be the ones incentivizing buying decisions for AV buyers. The way you accomplish this is by arming folks with the information they need to sell internally by overcoming any IT/networking reluctancy.