¶ Introduction to AV Security
From our headquarters in Oslo , norway , and on behalf of our host , robbie Perelta . Welcome to the Mnemonic Security Podcast .
No , this is not an episode about antivirus . Thank you for your service , though Rest in peace . Now I'd like for us to update the AV in our minds to audio-video technology .
You know the TVs in our meeting rooms , video conferencing systems with their cameras and microphones , smart displays like the welcome screen in your lobby , presentation systems like ClickShare for those that think HDMI cords are ugly All the technology that we use on a daily basis at work . My cords are ugly .
All the technology that we use on a daily basis at work , all of which is very easy to overlook in the chaotic reality of most cybersecurity teams .
If you're on a security team and you haven't been involved in an audit of your AV equipment , I'm pretty sure there are some default credentials and settings that you should have a look at , and once you're there , you'll probably have some software to update . Maybe you'll even find some time to make a dedicated network segment for all that stuff .
This isn't rocket science , so I'm confident that you'll be able to figure out what needs to be done once you put some thought into it . So let this episode serve as a kind reminder to take such time . You don't need an expensive consultant to install a USB port locker Erstein , Salzkreiv . Welcome to the podcast .
Thank you .
I should say welcome back to the podcast . I think it's very funny that we , the gadget guys , couldn't get our first podcast to work , so this is our second take 's always something you know it's always fun to redo an introduction too , like I just have to forget everything we just talked about or reen .
You said that yeah , I'm like act surprised , you know so , uh , I'll recap it and say um , we met each other at a conference the attack conference , yes and uh , you know we're all .
Everybody listening to this is used to go around conferences and picking up , you know , junk food and vendor socks and whatnot , but you , at your stand , had a bunch of cool , really cool gadgets . So who are you and why did you have cool gadgets at your stand ?
yeah , so , as you're saying , my name is acedslund Stadsklev . I work for Netting . Netting is a distributor that specializes in signal distribution and that is mainly in the audio-video markets . It can be everything from speakers and solutions for restaurants and cabling there to a lot of control rooms onshore and offshore .
Specifically why we had the gadgets we had is because we also work with secure AV solutions , so mainly what we focus on there is secure KVM .
What does that stand for .
Keyboard , video and mouse . So , basically , when you want to do 16 , for example , computers connected to one keyboard , video and mouse . When you talk about that , it's very important that the KVM does not become a gateway between different networks .
Gateway between different networks so that's specifically where we distribute all of those products to is high security applications like , for example , defense or banking or similar , where you want to make sure that these two networks cannot communicate between each other , even through peripherals like KVm switches .
So that was a bit what we're showing about , uh , showing off , and we have some audio diodes which is , it sounds , a bit space age . Of course not you , but , for example , transmission of data over sound .
So if you have an air gap solution but people are using ultrasonic sound to transmit small portions of data , so maybe you have a compromised site that's a secured network , and then you have a non-secured network that's also been compromised , but they cannot communicate .
People can use ultrasonic sounds to transmit data through an air gap solution if it's in the same room . That is space , no matter who you're talking to . So they have filters like it's a low-pass filter really , so it just sorts out any ultrasonic frequencies . It's a really dumb device , you know , like it's a simple device for a complicated task .
So to filter , to filter that , so we can't use speakers as microphones , because it's still a spool and a membrane right , so you can reverse it . And also there is a smart function on some of it .
That's a button and the button has a timer and the web camera that you connect to this device is only active when the button is pressed and , for example , 15 minutes .
So even if your system has been compromised and you're having a confidential discussion after a Teams meeting , you know that every unit that's capable of capturing sound or image is actually turned off or disconnected physically disconnected via relay . So it's high security solutions like that that we presented there and also I call it dumb shit .
It's like Tib port blockers . You're not supposed to put that USB stick in there and this port is blocked . Please don't Put something in there . It's more of a preventative measure often than anything else , but it's a nice thing both for security and for people putting USB sticks and things where it shouldn't be on public-facing equipment , for example .
So you work with spies according to that one gadget you had there . That was awesome .
Very interesting . Well , on the other side , yeah , trying to make sure people don't put B6 where there shouldn't be . Yeah that's one way to say it .
So when it comes to a simple meeting room , right , everybody has one . Everybody knows that there is a camera , there are microphones there . What ? Are some of the biggest slash , most overlooked risks that you come across in your conversations with your potential clients .
AV is often a hey , can just fix that Right , and could you just fix it yesterday please . So the focus is very often on how fast can we fix this , how fast can we get it to what we want , and security becomes a sidestep of that .
So security as an afterthought , that it also exists in the physical device world yes , sounds like true .
In the physical device world yes , yes , you asked me a question beforehand like I hope it's not default passwords and stuff like that . See it quite a lot . Unfortunately , a lot of the thinking is this is a closed network or it's not connected to internet . It's not a good excuse , I know , but it's not connected to internet .
It's not a good excuse , I know , but it's not connected to internet . So just gotta configure this box so it works kind of deal .
Of course there are many more professionals and professional installers that absolutely take care of this , but it's an issue we see , and having the more just make it as open so it works , kind of mentality more than restriction and that there . So we're not on zero trust then , and those kind of ways of thinking .
So basically you I mean you guys know hardware and gadgets and the security of them , but at the end of the day it's still an installer and I know you're not going to talk shit on your installers and that's not the point .
Oh , no , no , the customer is kind of like yeah , here , just implement this , and maybe security doesn't , maybe things don't get the right buttons don't get pressed or the right procedures don't get followed all the time .
Yeah , and of the right buttons don't get pressed or the right procedures don't get followed all the time . Yeah , and of course it depends a little bit of who you're talking to , right , of people that just have like a spec list , this , this , this is what they want .
They might not ask so much of us which sits on the technical side , because they have it figured out right . Uh , they have it figured out right . They have strict guidelines and things like that . So it varies a lot . It does . But
¶ The Overlooked Risks in Meeting Rooms
another thing when it comes to specific meeting rooms , or not specific to meeting rooms , really is mentality of if it ain't broke , don't fix it . It also applies to don't update it . I wouldn't be surprised if there's a lot of outdated web service and the like on a lot of these solutions .
That's more of a general AV issue , although if we look at the segments in , for example , meeting rooms or bigger spaces , maybe auditoriums and the like , or bigger spaces , maybe auditoriums and the like , where you have manufacturers that are living more in the convergence of AV and IT , those people are skilled and have proper authentication solutions and the like .
Am I fair to assume that's because you guys or not you guys , your industry is sort of it's the IT team that is supposed to implement and take these things and the security people just don't touch it . Because I've never had a discussion like this in my what nine years in security monitoring , for example , like I've never heard .
AV systems .
I thought you meant antivirus when you said AV . You know so it's not a very common discussion , but that would make sense , at least in my head .
Yeah , it's not a very common discussion . We try to bring it more up . Hi , I see you're going to install this . Have you thought about this ? Sure , we can just give guidelines .
Really , one reason that the AV industry , at least as I know it , comes from an extremely diverse background , comes from every kind of education versus the IT industry , I feel , is more higher education opportunities . Education opportunities , more certifications is extremely much more prevalent in the IT industry .
It kind of goes between two chairs sometimes and I know there's some very interesting risks . That probably heard about Hack5 . Yeah , so they have like the OMG cable . It's a microcomputer inside of a usbc cable .
I'm just thinking every meeting room where you could install one of those or similar types of products and gain massive amount of information , but it's not really talked about that much , right ? It's not a ? Oh , have you verified that this USB-C cable is actually rogue ? I have never had anyone actually say that .
Well , let's go there . What is the risk there ? Like , what kind of ? What information can you get out of an organization via that mean ?
It's the same kind of device as a reproductive or something , an automation platform to launch exploits , anything from an exploit that can then utilize a keylogger , for example . Maybe there's a virus or malware implanted on that . Things like this is often not talked about and can be a huge risk . For example , av over IP systems .
What if you just went into an auditorium or a meeting room and you had a meeting ? Is that all right ? They're using those kinds of AV over IP boxes ? Most of these systems , at least by default , do not require any form of authentication . They just say , oh , listen to this multicast address .
So I'm just thinking there probably is a device or a small computer you can just plug in , find the kind of AVR IP ip system , log that and just screen record everything in no bitrate and then you have many passwords . Or maybe there's a confidential meeting after the meeting . You had things like that . So so that was like the dumb , simple things .
I don't remember what it what's was called , but there was like a term of no risk , high reward for threat actors kind of attacks , and I feel in the av world those are some of like yeah , it's kind of low risk to do it right and I would assume we haven't heard of those because the proximity right , you , you actually have to be there , you actually have to
have a bad guy or girl plugging something in , so that may be why it hasn't been seen .
It just surprises me because I really want to hear your thoughts on the nearest neighbor attack , where a Russian fancy bear has a million names but I think it was fancy bear . Tell us about that attack and then tell us your thoughts .
Yeah . So it's interesting because you have the situation of this asset we want to infiltrate . They had quite good security on the outside , but their neighbors doesn't , and maybe there's other ways to get in .
So what they ended up doing was compromising one of the neighbor buildings and they didn't have some sort of MFA on the Wi-Fi network , so they went in through that way and I think the line between these kinds of attacks like nearest neighbor and , for example , if you're talking about meeting rooms and the same thing , it can be a bit like the same .
It's like oh right , so they really secure down their IT infrastructure , but the AV infrastructure that also uses IT components is not that well secured . That might be an entry point , right ? Okay , this was like a big actor , it's like a big attack and things like that , but the principle can still be used very much in a lot of different things .
I think the thing to have in mind is that just because your main solution is secure , you have to think about the other connected solutions or adjacent solutions as well .
Fancy Bear is going to get in , if Fancy Bear wants to get in , basically . But it was really interesting how they had to go to those links . And I also have another . I had another guest . His name is Brian Harris and he breaks into buildings . Oh , brian , yeah , yeah , you know who Brian is . Yeah , of course , yeah .
So he , uh , he came on and he just kind of like hey guys , I'm going to get in your building , just drop that part .
But so now let's just assume that I get in , so you save you for X amount of dollars and it saves me two weeks of my life , right , as soon as we get in , what's going to stop me from going from your lobby to that closet over there and installing this ?
What could it be could be one of the things you mentioned , right , and then I'm on your Wi-Fi network . What happens once I'm on your Wi-Fi network ? And then they're like so if he's talking to a client like that , then obviously that's a very short project . Here's what you need to go fix .
But I have a feeling that at least the Norwegian companies they're like yeah , they have EDR , they have all these fancy bells and whistles , microsoft E5 license , all this mnemonic for the security provider , and then , when it comes to their AV , they're kind of like oh yeah , I don't know who fixes that . It's like awkward silence . Is that the case ?
It would be really interesting . I think , when I do teachings , like courses and such , it's like if I were just to do a hands up . What is your , for example , av security strategy ? What is your plan ? For AV security on all the implementations you've done . We try to use some different passwords from time to time .
It will be a very it will be a very short , awkward silence .
Yeah , it's a short conversation .
But what is the answer to that question , though I guess that's the whole point of this podcast the AV security strategy ? Is there a framework for that , or you just kind of follow the SIS framework and just kind of treat it like everything else ?
I think that the AV industry needs to look more to the IT industry and implement a lot of the things that already exist , Because there exist heaps of good frameworks in the IT industry that can be translated to work for AV , and a lot of the things is strictly IT . If it's the web interface on that simple box you have , well , it's a web server .
Implement the same safety features for that . And if you can't have it , then say , hey , this manufacturer , in order to use our products , we need to comply with this , this , this . What is your plan to implement that ? Or how can we work to get a solution that will do that ? And I have gotten some positive feedback .
For example , hey , this port 88888 , what does that do ? It's not documented everywhere in this AVR IP solution . Please tell me what it does . And then later I got like , oh hey , this is an EDID , which is a communication between screen and machine . That's what it's used for . And now in a new firmware , you can't turn it off .
So I think manufacturers are absolutely listening . It's just they need the AV industry to be more involved in IT and therefore also communicate to the manufacturers again and to get more active discussion about hey , we actually need this and this .
What they really need is a customer that's willing to pay for . That , I guess , is the real answer there , right ?
Yeah , because now it's . If it's not a high security , if I'm talking about regular installations , then it's very much about one volunteer volunteer like I care about security . I will report this to that manufacturer . Why is it like this ? Why are we using an outdated version but there's no framework or anything like that or any media sites ?
That picks up like , oh , this solution uses an outdated web server or stuff like that . It doesn't come in the news right when there's someone being exposed because of an outdated service . In the same way , I feel like IT gets
¶ Understanding KVM and Its Security Implications
more highlighted because the security , it security industry is such it's much more evolved than the AV security .
We've been screaming for longer and louder , but now we're starting to scream in your direction , I think . I think there's a lot of just at a conference . There's a lot of companies that are doing firmware testing , like breaking apart boxes , doing halfway legal or out of the scope of the user agreements , I would say , things these boxes right .
So there is getting more attention around there . I guess you can confirm that .
Yeah , I do think so , and also , as I said , I do see that manufacturers are absolutely listening , and specifically the ones that works a lot in the convergence between IT and AV streaming boxes , av over IP solutions . When it's big manufacturers , they are really listening .
So you have everything from the one that's implementing and testing through OWASP , through other ones that I've heard about , that has an OEM product , rebrands it as themselves but doesn't change the root password , so you have , like , root SSH access by default .
You're talking about , like all the firewall vendors right now .
Horrible . Yeah , of course Things like that exist in .
They're even more prevalent in your world , I would assume .
In the IT as well . If it's not highlighted and if it's not required , then it doesn't get highlighted . So I think AV should listen more to IT and I think that it will also be healthy for the IT security industry to demand more .
If it's more of a demand in the project that you have some sort of framework that says it has to support this or be updated this regularly , or things like that , because it's very much about what the user requires .
If they don't require this , if they don't say anything about it , it's not going in the scope , because then we'll be that vendor that thinks about this will be more expensive and not chosen because of price , for example . So I think it's more of a collaboration between IT and AV and , yeah , informing each other , yeah , about the struggles .
I'm just surprised that I've been to all these conferences and I've never seen . I mean , of course , you've heard about the MGM thing where they hacked in through a fishbowl . You heard about Target where they go through their what was it ? Vacuum system or whatever HVAC system .
But I think maybe the physical , like you guys from the AV world , can just play hey look , how easy it is to get into your systems by doing this to this AV box .
Right , I think there should be a little bit more of that , and I mean , besides your advice of just getting the AV guys and IT and security in the same room and give them a beer and let them talk . I know that NSM has physical room security guides . Is there anything that we can play upon there that nsm has like physical ?
room security guides . Is there anything that we can play upon there ? Well , I have gone through that , uh course , and a lot of it is more thickness of walls , how the ventilation should be . Um , is there any windows ? A similar way you can look into it , I think . Generally one tip is , for example , wireless wireless keyboards , wireless mouse , for example .
The logitech unifying system has been broken multiple times , I think , and if that can be logged , know , everything you type into that keyboard can be logged . So one thing is like restrict the functionality you don't need it's a nice to have , but not a need to have and also just tightening down on like yeah , this is just active by default , why ?
Just turn it off .
You know the kind of standard practices . A lot of it was more how to act , what to think about mobile phones , use of mobile phones , some more high security things , and you have solutions for that as well when you're talking high security .
But then we're back to the kind of solutions we presented attack and then units that's supposed to resist tempest or have a tempest level b certification so we don't radiate .
For example , hdmi cables that's too long and the emi or radio frequencies from that is decoded into a signal so someone can wirelessly take and listen to an HDMI cable which sounds space-age , but it's actually doable .
How many more space-age things do you have in your head right now ?
actually , because , I really want to hear these things . Oh , yeah , no . So Tempest is about how much radio frequencies or the thing is . For example , let's say you have an HDMI cable like this and you're inducting a current through this cable . So that means you have some sort of antenna because it's an electromagnetic field .
So you could pick up an SDRdr like a softened , defined radio . Say , I want to listen to that specific frequency there , and then some really smart people have them be able to say , ah , if it's like this , then that's probably means this is the image .
So you will see if it goes on youtube demos of people having like black and white images wirelessly from a computer connected to another screen and they can see this image on the screen . Yes , it's fuzzy , but you can actually read it . So , um , and then things like this . That sounds very space age .
When you know when you're talking about , for example , going back to the Sansevier and stuff like that , it's like , hey , you have other ways of getting in , right , if the main IT security is quite watertight , and you go , oh , we installed a KVM switch , for example . Yeah , it was non-secure .
Oh , we can attack this chip that sits on this KVM and through that have access to other networks , right , it's a lot of these kind of solutions that you don't usually think about .
I would think the Five Eyes and the FSB and all these cool spy agencies . They know how AV works , they know how KVM switch works .
Oh , yes , absolutely , absolutely , absolutely . And things like , for example , the one , the diode I was thinking about , which blocks higher frequency from transmitting data , but also have a timer , so it's web cameras just active when you speak and it automatically turns off based on the timer .
Things like where do you have your confidential discussions and is it in a room that has a mobile phone or a camera or microphone ? The answer is most likely yes , of course . And we're usually carrying it ourselves yeah so , and then it's like it becomes like this fancy attacks , that's been done right by fancy bear or or others , of course .
That's like you don't think about that this would exist , that this won't be able to do , but it is . But I'm I'm not that worried about that for the mainstream . Let's call it that but specifically in higher security it's it's one thing to think about and also that , for example , jmi . You have the cec , which is consumer electronics control .
It's an own network , an integral network where it can have two-way communications . So when you're talking about av security , video security , you have , for example , disabling cac , disabling hdcp , which is copyright protection , because it's a two-way communication , uh , disabling edid , the communication between the screen and the pc about resolution .
So all these two-way communications doing hardware security saying , nope , we're going to block that and we're going to set our own resolutions . So we know that someone can't hack into the screen or projector , implant a malware or something like that and gain access through that way .
So it varies a lot from the very simple things to the more complicated , like that and trying to secure them , and that will be mostly in , for example , defense and things like that , where those kinds of high security solutions are very prevalent and also required .
So we've talked about , you know , av , a lot of things that are in meeting rooms and stuff like Wi-Fi and printers are also in the same world , or no ?
Oh yeah , absolutely . There's a lot of units that has Wi-Fi right , but maybe they just use the cable , so the wifi is default configured and stuff like that . Um , printers , yes , but of course that's more of a IT problem .
I think not necessarily any problem , but we see , oh boy , how we see a lot of printer attacks on outdated web servers , hard drives containing information that hasn't been checked .
Maybe of course , it's a physical attack , but there's a lot of kind of oh right , we're just going to do a service on this MFP , we're from Conica , minolta or CAN or just pretending to be someone and just yanking out critical information or maybe installing a sniffer or something like that , and a lot of situations that will go unnoticed because it's just ah , I
don't want to be a bother for that person , let's just him do his thing , right . So and and the same thing I will , I will say , will be in the AV world , for example . Let's say you're in a big university , I would guess you would not stop someone saying we're going to work on some maintenance on this auditorium or this meeting room .
You would just say , all right , just do your thing . We need our meeting room , it's important , thank you for your job . Right In Norway we wouldn't even say hi to them . You'd just be like , oh right , just do your thing . We need our meeting room , it's important . Thank you for your job , right .
In Norway we wouldn't even say hi to them . You'd just be like , oh , that's busy . Oh yeah , no , no , it's like oh , let's not bother that person and externally they're important .
Yeah .
Well , it's okay . So when I go and talk to my clients afterwards and I and I ask them , hey , do you know what AV means ? And they're going to say antivirus , I'm going to say no , audio and video . What do you think about security around your AV ? My guess is they're going to be like look at me like I'm strange , or laugh and or say that's IT's problem .
But that's basically where you have this discussion at the start .
Or all of the above .
All the above Exactly .
Stop asking difficult questions , and I think , to kind of sum it up , it's a bit of we're trying to take responsibility there , but I think the responsibility needs to be shared much wider in the AV business to make sure that a lot more have a feeling of responsibility for security and the way it affects the security in the home .
We're talking ideal words here , but things like talks about AV security how can you improve it ? We are one of the vendors that try to infiltrate or give a taste of ape security , but I think that more should do it .
I don't have an overview of who does and who doesn't , because I just work for one company , but my impression is that it's not a very hot topic to put it like that it should be , though , so I think it should be it should be . Put it like that it should be , though . So I think it should be it should be .
I also think that just getting more people to talk to people like you and get your insight into okay , I want to think about AV security . Or I work at a high security or some company that has valuable assets , right , okay , how can I make sure in simple steps ? Or what do I need to think about , like what is public tracing equipment ?
What do I need to ask my AV vendor about ?
And I think , even though you might not have specific answer to that just the fact that if you get that question and the customer then relays that question back to the installer , it's going to get a lot more let's call it in the now right A lot more relevant or people are going to talk about it , so I think it's a bit of an awareness campaign that needs
to happen really .
Absolutely . And the worst thing about this whole thing is awareness has to come from you talking about oh , by the way , that HDMI cord you can actually track its magnet . You can use this machine that tracks the magnetics and you can see the . But it's stuff like that . I guess it starts there , but it's stuff like that .
I guess it starts there and then it is . If you look back at the history of attacks that have came through IoT devices , I guess it's always an IoT device . But the TV that's behind this computer or camera right here , that is an IoT device right , oh yeah , Everything is an IoT device . So I mean , it's just people .
I think security has so much scope creep in their normal life already . They just don't want any more responsibility . They don't have time to talk to any more people , but they unfortunately have to .
Yeah , there's definitely a scope creep , of course , but I think just being able to listen to people like you and then just going , ah , this is a thing I can think about Not necessarily that it will take responsibility on everything but say , all right , he talked about something like that . Or software updates have I checked that I can update the software ?
Have I checked that I have a routine for this ? All right , so just getting the awareness , I think , is the first step there in this process .
Well , estan , thank you so much for sharing your knowledge and expertise . Maybe we have to have an episode about the craziest shit that no one's ever heard of , that you know about with your devices .
Oh , yeah , yeah , absolutely that we can do . That would be fun , that'd be really fun Over a beer .
Yeah , yeah , yeah , absolutely that . One can do that . That would be fun . That'd be really fun Over a beer . Yeah , yeah , thank you very much , sir , we will talk to you soon . It's been nice . Take care until next time , thank you . Thank you . Well , that's all for today , folks . Thank you for tuning in to the Mnemonic Security Podcast .
If you have any concepts or ideas that you'd like us to discuss on future episodes , please feel free to hit me up on LinkedIn or to send us a mail to podcast at mnemonicno . No-transcript .