AV/IT Security

The Security ‘Wild West’ of AV/IT

There has been a lot of talk lately about the security of AV/IT systems as if they are the new ‘Wild West’ of the IT estate. A few articles point the finger at AV systems and warn that how left unchecked, they might expose an entire network to some kind of attack or loss. Recent media coverage has centred around the AMX backdoor vulnerability, although I’m not sure if any actual damage has been reported as a result of the discovery.

Something which I find interesting is the notion that it is mainly the information which resides on the rest of the network which is most valuable. That is the files, folders, customer data etc. in the wider enterprise which becomes vulnerable from a compromised AV system. Whilst this may be true in some cases, I’m not sure that I entirely agree that this is the only thing we should be securing against. I would imagine that the AV community (as well as their clients) feel that the actual media which is being shuttled to and fro on the network has some value too.

A 2011 UK report into the cost of cyber crime* showed that the two highest figures stemmed directly from the theft of intellectual property and of espionage. Someone with unfettered access to an AV network and able to see and hear everything within a meeting room could be in an ideal position to carry out either.

UK cybercrime statistics

It’s not just the corporate environment who need to be mindful of such exploits. The live industry is also susceptible to such breaches at the hands of our new techniques. As an example, technology designed to replace infrared assisted listening systems with one that directly streams audio over Wi-Fi to a patron’s smartphone via an app is now available. Without a proper Wi-Fi survey, it is quite possible that the auditorium Wi-Fi signal may be picked up from neighbouring premises or out on the street; anyone with the app who wishes to eavesdrop on the programme or make a recording is able to do so. Other audio networking solutions allow anyone with a copy of the control software to jack-in and change routing or, again, syphon off a stream for themselves (or the highest bidder).

The convenience, flexibility and cost savings which installers and end users enjoy as a result of AV/IT systems are a great benefit to the industry. I think it’s fair to say that the wider concerns of security are ones which we were not always accustomed to thinking about. Every time we install a piece of commodity IT, we inherit the security architecture of that device – that can both help us and hinder us. We typically focus on specs such as throughput, uptime and protocol compatibility and how we can use those to our advantage; perhaps security should be considered as well. Fortunately, many of the devices we choose for those attributes are of suitable grade to provide the security function too, but that may not always be the case as adoption takes off (and more competitively priced gear is sought) or even something which is configured on many networks.

Given that more of our systems are jumping on to the network (and that those networks are not always under our control) perhaps we will see more development of product features and techniques to help us secure our networks and assets.

* 2011 report by industry and government on the cost of cybercrime.