mnemonic security podcast
The mnemonic security podcast is a place where IT Security professionals can go to obtain insight into what their peers are working with and thinking about.
mnemonic security podcast
AV and IoT
Audio-visual (AV) equipment is everywhere – meeting rooms, auditoriums, and control centres – but how often do we think about its security?
In this episode of the mnemonic security podcast, Robby talks to Øystein Stadskleiv from Leteng, about the overlooked risks of AV systems. They discuss real-world attack scenarios, common vulnerabilities, and practical steps to secure AV infrastructure.
From our headquarters in Oslo, norway, and on behalf of our host, robbie Perelta. Welcome to the Mnemonic Security Podcast.
Speaker 2:No, this is not an episode about antivirus. Thank you for your service, though Rest in peace. Now I'd like for us to update the AV in our minds to audio-video technology. You know the TVs in our meeting rooms, video conferencing systems with their cameras and microphones, smart displays like the welcome screen in your lobby, presentation systems like ClickShare for those that think HDMI cords are ugly All the technology that we use on a daily basis at work. My cords are ugly. All the technology that we use on a daily basis at work, all of which is very easy to overlook in the chaotic reality of most cybersecurity teams.
Speaker 2:If you're on a security team and you haven't been involved in an audit of your AV equipment, I'm pretty sure there are some default credentials and settings that you should have a look at, and once you're there, you'll probably have some software to update. Maybe you'll even find some time to make a dedicated network segment for all that stuff. This isn't rocket science, so I'm confident that you'll be able to figure out what needs to be done once you put some thought into it. So let this episode serve as a kind reminder to take such time. You don't need an expensive consultant to install a USB port locker Erstein, Salzkreiv. Welcome to the podcast.
Speaker 1:Thank you.
Speaker 2:I should say welcome back to the podcast. I think it's very funny that we, the gadget guys, couldn't get our first podcast to work, so this is our second take 's always something you know it's always fun to redo an introduction too, like I just have to forget everything we just talked about or reen.
Speaker 2:You said that yeah, I'm like act surprised, you know so, uh, I'll recap it and say um, we met each other at a conference the attack conference, yes and uh, you know we're all. Everybody listening to this is used to go around conferences and picking up, you know, junk food and vendor socks and whatnot, but you, at your stand, had a bunch of cool, really cool gadgets. So who are you and why did you have cool gadgets at your stand?
Speaker 1:yeah, so, as you're saying, my name is acedslund Stadsklev. I work for Netting. Netting is a distributor that specializes in signal distribution and that is mainly in the audio-video markets. It can be everything from speakers and solutions for restaurants and cabling there to a lot of control rooms onshore and offshore. Specifically why we had the gadgets we had is because we also work with secure AV solutions, so mainly what we focus on there is secure KVM.
Speaker 2:What does that stand for.
Speaker 1:Keyboard, video and mouse.
Speaker 1:So, basically, when you want to do 16, for example, computers connected to one keyboard, video and mouse. When you talk about that, it's very important that the KVM does not become a gateway between different networks. Gateway between different networks so that's specifically where we distribute all of those products to is high security applications like, for example, defense or banking or similar, where you want to make sure that these two networks cannot communicate between each other, even through peripherals like KVm switches. So that was a bit what we're showing about, uh, showing off, and we have some audio diodes which is, it sounds, a bit space age. Of course not you, but, for example, transmission of data over sound. So if you have an air gap solution but people are using ultrasonic sound to transmit small portions of data, so maybe you have a compromised site that's a secured network, and then you have a non-secured network that's also been compromised, but they cannot communicate. People can use ultrasonic sounds to transmit data through an air gap solution if it's in the same room.
Speaker 1:That is space, no matter who you're talking to.
Speaker 1:So they have filters like it's a low-pass filter really, so it just sorts out any ultrasonic frequencies. It's a really dumb device, you know, like it's a simple device for a complicated task. So to filter, to filter that, so we can't use speakers as microphones, because it's still a spool and a membrane right, so you can reverse it. And also there is a smart function on some of it. That's a button and the button has a timer and the web camera that you connect to this device is only active when the button is pressed and, for example, 15 minutes. So even if your system has been compromised and you're having a confidential discussion after a Teams meeting, you know that every unit that's capable of capturing sound or image is actually turned off or disconnected physically disconnected via relay.
Speaker 1:So it's high security solutions like that that we presented there and also I call it dumb shit. It's like Tib port blockers. You're not supposed to put that USB stick in there and this port is blocked. Please don't Put something in there. It's more of a preventative measure often than anything else, but it's a nice thing both for security and for people putting USB sticks and things where it shouldn't be on public-facing equipment, for example.
Speaker 2:So you work with spies according to that one gadget you had there. That was awesome.
Speaker 1:Very interesting. Well, on the other side, yeah, trying to make sure people don't put B6 where there shouldn't be. Yeah that's one way to say it.
Speaker 2:So when it comes to a simple meeting room, right, everybody has one. Everybody knows that there is a camera, there are microphones there. What? Are some of the biggest slash, most overlooked risks that you come across in your conversations with your potential clients.
Speaker 1:AV is often a hey, can just fix that Right, and could you just fix it yesterday please. So the focus is very often on how fast can we fix this, how fast can we get it to what we want, and security becomes a sidestep of that.
Speaker 2:So security as an afterthought, that it also exists in the physical device world yes, sounds like true.
Speaker 1:In the physical device world yes, yes, you asked me a question beforehand like I hope it's not default passwords and stuff like that. See it quite a lot. Unfortunately, a lot of the thinking is this is a closed network or it's not connected to internet. It's not a good excuse, I know, but it's not connected to internet. It's not a good excuse, I know, but it's not connected to internet. So just gotta configure this box so it works kind of deal. Of course there are many more professionals and professional installers that absolutely take care of this, but it's an issue we see, and having the more just make it as open so it works, kind of mentality more than restriction and that there. So we're not on zero trust then, and those kind of ways of thinking.
Speaker 2:So basically you I mean you guys know hardware and gadgets and the security of them, but at the end of the day it's still an installer and I know you're not going to talk shit on your installers and that's not the point. Oh, no, no, the customer is kind of like yeah, here, just implement this, and maybe security doesn't, maybe things don't get the right buttons don't get pressed or the right procedures don't get followed all the time.
Speaker 1:Yeah, and of the right buttons don't get pressed or the right procedures don't get followed all the time. Yeah, and of course it depends a little bit of who you're talking to, right, of people that just have like a spec list, this, this, this is what they want. They might not ask so much of us which sits on the technical side, because they have it figured out right. Uh, they have it figured out right. They have strict guidelines and things like that. So it varies a lot. It does.
Speaker 1:But another thing when it comes to specific meeting rooms, or not specific to meeting rooms, really is mentality of if it ain't broke, don't fix it. It also applies to don't update it. I wouldn't be surprised if there's a lot of outdated web service and the like on a lot of these solutions. That's more of a general AV issue, although if we look at the segments in, for example, meeting rooms or bigger spaces, maybe auditoriums and the like, or bigger spaces, maybe auditoriums and the like, where you have manufacturers that are living more in the convergence of AV and IT, those people are skilled and have proper authentication solutions and the like.
Speaker 2:Am I fair to assume that's because you guys or not you guys, your industry is sort of it's the IT team that is supposed to implement and take these things and the security people just don't touch it. Because I've never had a discussion like this in my what nine years in security monitoring, for example, like I've never heard.
Speaker 1:AV systems.
Speaker 2:I thought you meant antivirus when you said AV. You know so it's not a very common discussion, but that would make sense, at least in my head.
Speaker 1:Yeah, it's not a very common discussion. We try to bring it more up. Hi, I see you're going to install this. Have you thought about this? Sure, we can just give guidelines. Really, one reason that the AV industry, at least as I know it, comes from an extremely diverse background, comes from every kind of education versus the IT industry, I feel, is more higher education opportunities. Education opportunities, more certifications is extremely much more prevalent in the IT industry. It kind of goes between two chairs sometimes and I know there's some very interesting risks. That probably heard about Hack5. Yeah, so they have like the OMG cable. It's a microcomputer inside of a usbc cable. I'm just thinking every meeting room where you could install one of those or similar types of products and gain massive amount of information, but it's not really talked about that much, right? It's not a? Oh, have you verified that this USB-C cable is actually rogue? I have never had anyone actually say that.
Speaker 2:Well, let's go there. What is the risk there? Like, what kind of? What information can you get out of an organization via that mean?
Speaker 1:It's the same kind of device as a reproductive or something, an automation platform to launch exploits, anything from an exploit that can then utilize a keylogger, for example. Maybe there's a virus or malware implanted on that. Things like this is often not talked about and can be a huge risk. For example, av over IP systems. What if you just went into an auditorium or a meeting room and you had a meeting? Is that all right? They're using those kinds of AV over IP boxes?
Speaker 1:Most of these systems, at least by default, do not require any form of authentication. They just say, oh, listen to this multicast address. So I'm just thinking there probably is a device or a small computer you can just plug in, find the kind of AVR IP ip system, log that and just screen record everything in no bitrate and then you have many passwords. Or maybe there's a confidential meeting after the meeting. You had things like that. So so that was like the dumb, simple things. I don't remember what it what's was called, but there was like a term of no risk, high reward for threat actors kind of attacks, and I feel in the av world those are some of like yeah, it's kind of low risk to do it right and I would assume we haven't heard of those because the proximity right, you, you actually have to be there, you actually have to have a bad guy or girl plugging something in, so that may be why it hasn't been seen.
Speaker 2:It just surprises me because I really want to hear your thoughts on the nearest neighbor attack, where a Russian fancy bear has a million names but I think it was fancy bear. Tell us about that attack and then tell us your thoughts.
Speaker 1:Yeah. So it's interesting because you have the situation of this asset we want to infiltrate. They had quite good security on the outside, but their neighbors doesn't, and maybe there's other ways to get in. So what they ended up doing was compromising one of the neighbor buildings and they didn't have some sort of MFA on the Wi-Fi network, so they went in through that way and I think the line between these kinds of attacks like nearest neighbor and, for example, if you're talking about meeting rooms and the same thing, it can be a bit like the same. It's like oh right, so they really secure down their IT infrastructure, but the AV infrastructure that also uses IT components is not that well secured. That might be an entry point, right? Okay, this was like a big actor, it's like a big attack and things like that, but the principle can still be used very much in a lot of different things. I think the thing to have in mind is that just because your main solution is secure, you have to think about the other connected solutions or adjacent solutions as well.
Speaker 2:Fancy Bear is going to get in, if Fancy Bear wants to get in, basically. But it was really interesting how they had to go to those links. And I also have another. I had another guest. His name is Brian Harris and he breaks into buildings. Oh, brian, yeah, yeah, you know who Brian is. Yeah, of course, yeah. So he, uh, he came on and he just kind of like hey guys, I'm going to get in your building, just drop that part.
Speaker 2:But so now let's just assume that I get in, so you save you for X amount of dollars and it saves me two weeks of my life, right, as soon as we get in, what's going to stop me from going from your lobby to that closet over there and installing this? What could it be could be one of the things you mentioned, right, and then I'm on your Wi-Fi network. What happens once I'm on your Wi-Fi network? And then they're like so if he's talking to a client like that, then obviously that's a very short project. Here's what you need to go fix. But I have a feeling that at least the Norwegian companies they're like yeah, they have EDR, they have all these fancy bells and whistles, microsoft E5 license, all this mnemonic for the security provider, and then, when it comes to their AV, they're kind of like oh yeah, I don't know who fixes that. It's like awkward silence. Is that the case?
Speaker 1:It would be really interesting. I think, when I do teachings, like courses and such, it's like if I were just to do a hands up. What is your, for example, av security strategy? What is your plan? For AV security on all the implementations you've done. We try to use some different passwords from time to time.
Speaker 2:It will be a very it will be a very short, awkward silence.
Speaker 1:Yeah, it's a short conversation.
Speaker 2:But what is the answer to that question, though I guess that's the whole point of this podcast the AV security strategy? Is there a framework for that, or you just kind of follow the SIS framework and just kind of treat it like everything else?
Speaker 1:I think that the AV industry needs to look more to the IT industry and implement a lot of the things that already exist, Because there exist heaps of good frameworks in the IT industry that can be translated to work for AV, and a lot of the things is strictly IT. If it's the web interface on that simple box you have, well, it's a web server. Implement the same safety features for that. And if you can't have it, then say, hey, this manufacturer, in order to use our products, we need to comply with this, this, this. What is your plan to implement that? Or how can we work to get a solution that will do that?
Speaker 1:And I have gotten some positive feedback. For example, hey, this port 88888, what does that do? It's not documented everywhere in this AVR IP solution. Please tell me what it does. And then later I got like, oh hey, this is an EDID, which is a communication between screen and machine. That's what it's used for. And now in a new firmware, you can't turn it off. So I think manufacturers are absolutely listening. It's just they need the AV industry to be more involved in IT and therefore also communicate to the manufacturers again and to get more active discussion about hey, we actually need this and this.
Speaker 2:What they really need is a customer that's willing to pay for. That, I guess, is the real answer there, right?
Speaker 1:Yeah, because now it's. If it's not a high security, if I'm talking about regular installations, then it's very much about one volunteer volunteer like I care about security. I will report this to that manufacturer. Why is it like this? Why are we using an outdated version but there's no framework or anything like that or any media sites? That picks up like, oh, this solution uses an outdated web server or stuff like that. It doesn't come in the news right when there's someone being exposed because of an outdated service.
Speaker 1:In the same way, I feel like IT gets more highlighted because the security, it security industry is such it's much more evolved than the AV security.
Speaker 2:We've been screaming for longer and louder, but now we're starting to scream in your direction, I think. I think there's a lot of just at a conference. There's a lot of companies that are doing firmware testing, like breaking apart boxes, doing halfway legal or out of the scope of the user agreements, I would say, things these boxes right. So there is getting more attention around there. I guess you can confirm that.
Speaker 1:Yeah, I do think so, and also, as I said, I do see that manufacturers are absolutely listening, and specifically the ones that works a lot in the convergence between IT and AV streaming boxes, av over IP solutions. When it's big manufacturers, they are really listening. So you have everything from the one that's implementing and testing through OWASP, through other ones that I've heard about, that has an OEM product, rebrands it as themselves but doesn't change the root password, so you have, like, root SSH access by default.
Speaker 2:You're talking about, like all the firewall vendors right now.
Speaker 1:Horrible. Yeah, of course Things like that exist in.
Speaker 2:They're even more prevalent in your world, I would assume.
Speaker 1:In the IT as well. If it's not highlighted and if it's not required, then it doesn't get highlighted. So I think AV should listen more to IT and I think that it will also be healthy for the IT security industry to demand more. If it's more of a demand in the project that you have some sort of framework that says it has to support this or be updated this regularly, or things like that, because it's very much about what the user requires. If they don't require this, if they don't say anything about it, it's not going in the scope, because then we'll be that vendor that thinks about this will be more expensive and not chosen because of price, for example. So I think it's more of a collaboration between IT and AV and, yeah, informing each other, yeah, about the struggles.
Speaker 2:I'm just surprised that I've been to all these conferences and I've never seen. I mean, of course, you've heard about the MGM thing where they hacked in through a fishbowl. You heard about Target where they go through their what was it? Vacuum system or whatever HVAC system. But I think maybe the physical, like you guys from the AV world, can just play hey look, how easy it is to get into your systems by doing this to this AV box. Right, I think there should be a little bit more of that, and I mean, besides your advice of just getting the AV guys and IT and security in the same room and give them a beer and let them talk. I know that NSM has physical room security guides. Is there anything that we can play upon there that nsm has like physical?
Speaker 1:room security guides. Is there anything that we can play upon there? Well, I have gone through that, uh course, and a lot of it is more thickness of walls, how the ventilation should be. Um, is there any windows? A similar way you can look into it, I think. Generally one tip is, for example, wireless wireless keyboards, wireless mouse, for example. The logitech unifying system has been broken multiple times, I think, and if that can be logged, know, everything you type into that keyboard can be logged. So one thing is like restrict the functionality you don't need it's a nice to have, but not a need to have and also just tightening down on like yeah, this is just active by default, why?
Speaker 2:Just turn it off.
Speaker 1:You know the kind of standard practices. A lot of it was more how to act, what to think about mobile phones, use of mobile phones, some more high security things, and you have solutions for that as well when you're talking high security. But then we're back to the kind of solutions we presented attack and then units that's supposed to resist tempest or have a tempest level b certification so we don't radiate. For example, hdmi cables that's too long and the emi or radio frequencies from that is decoded into a signal so someone can wirelessly take and listen to an HDMI cable which sounds space-age, but it's actually doable.
Speaker 2:How many more space-age things do you have in your head right now?
Speaker 1:actually, because, I really want to hear these things.
Speaker 1:Oh, yeah, no. So Tempest is about how much radio frequencies or the thing is. For example, let's say you have an HDMI cable like this and you're inducting a current through this cable. So that means you have some sort of antenna because it's an electromagnetic field. So you could pick up an SDRdr like a softened, defined radio. Say, I want to listen to that specific frequency there, and then some really smart people have them be able to say, ah, if it's like this, then that's probably means this is the image.
Speaker 1:So you will see if it goes on youtube demos of people having like black and white images wirelessly from a computer connected to another screen and they can see this image on the screen. Yes, it's fuzzy, but you can actually read it. So, um, and then things like this. That sounds very space age. When you know when you're talking about, for example, going back to the Sansevier and stuff like that, it's like, hey, you have other ways of getting in, right, if the main IT security is quite watertight, and you go, oh, we installed a KVM switch, for example. Yeah, it was non-secure. Oh, we can attack this chip that sits on this KVM and through that have access to other networks, right, it's a lot of these kind of solutions that you don't usually think about.
Speaker 2:I would think the Five Eyes and the FSB and all these cool spy agencies. They know how AV works, they know how KVM switch works.
Speaker 1:Oh, yes, absolutely, absolutely, absolutely. And things like, for example, the one, the diode I was thinking about, which blocks higher frequency from transmitting data, but also have a timer, so it's web cameras just active when you speak and it automatically turns off based on the timer. Things like where do you have your confidential discussions and is it in a room that has a mobile phone or a camera or microphone? The answer is most likely yes, of course.
Speaker 1:And we're usually carrying it ourselves yeah so, and then it's like it becomes like this fancy attacks, that's been done right by fancy bear or or others, of course. That's like you don't think about that this would exist, that this won't be able to do, but it is. But I'm I'm not that worried about that for the mainstream.
Speaker 1:Let's call it that but specifically in higher security it's it's one thing to think about and also that, for example, jmi. You have the cec, which is consumer electronics control. It's an own network, an integral network where it can have two-way communications. So when you're talking about av security, video security, you have, for example, disabling cac, disabling hdcp, which is copyright protection, because it's a two-way communication, uh, disabling edid, the communication between the screen and the pc about resolution. So all these two-way communications doing hardware security saying, nope, we're going to block that and we're going to set our own resolutions. So we know that someone can't hack into the screen or projector, implant a malware or something like that and gain access through that way. So it varies a lot from the very simple things to the more complicated, like that and trying to secure them, and that will be mostly in, for example, defense and things like that, where those kinds of high security solutions are very prevalent and also required.
Speaker 2:So we've talked about, you know, av, a lot of things that are in meeting rooms and stuff like Wi-Fi and printers are also in the same world, or no?
Speaker 1:Oh yeah, absolutely. There's a lot of units that has Wi-Fi right, but maybe they just use the cable, so the wifi is default configured and stuff like that. Um, printers, yes, but of course that's more of a IT problem. I think not necessarily any problem, but we see, oh boy, how we see a lot of printer attacks on outdated web servers, hard drives containing information that hasn't been checked.
Speaker 1:Maybe of course, it's a physical attack, but there's a lot of kind of oh right, we're just going to do a service on this MFP, we're from Conica, minolta or CAN or just pretending to be someone and just yanking out critical information or maybe installing a sniffer or something like that, and a lot of situations that will go unnoticed because it's just ah, I don't want to be a bother for that person, let's just him do his thing, right. So and and the same thing I will, I will say, will be in the AV world, for example. Let's say you're in a big university, I would guess you would not stop someone saying we're going to work on some maintenance on this auditorium or this meeting room. You would just say, all right, just do your thing. We need our meeting room, it's important, thank you for your job. Right In Norway we wouldn't even say hi to them. You'd just be like, oh right, just do your thing. We need our meeting room, it's important. Thank you for your job, right.
Speaker 2:In Norway we wouldn't even say hi to them. You'd just be like, oh, that's busy. Oh yeah, no, no, it's like oh, let's not bother that person and externally they're important.
Speaker 1:Yeah.
Speaker 2:Well, it's okay. So when I go and talk to my clients afterwards and I and I ask them, hey, do you know what AV means? And they're going to say antivirus, I'm going to say no, audio and video. What do you think about security around your AV? My guess is they're going to be like look at me like I'm strange, or laugh and or say that's IT's problem. But that's basically where you have this discussion at the start.
Speaker 1:Or all of the above.
Speaker 2:All the above Exactly.
Speaker 1:Stop asking difficult questions, and I think, to kind of sum it up, it's a bit of we're trying to take responsibility there, but I think the responsibility needs to be shared much wider in the AV business to make sure that a lot more have a feeling of responsibility for security and the way it affects the security in the home. We're talking ideal words here, but things like talks about AV security how can you improve it? We are one of the vendors that try to infiltrate or give a taste of ape security, but I think that more should do it. I don't have an overview of who does and who doesn't, because I just work for one company, but my impression is that it's not a very hot topic to put it like that it should be, though, so I think it should be it should be. Put it like that it should be, though. So I think it should be it should be.
Speaker 1:I also think that just getting more people to talk to people like you and get your insight into okay, I want to think about AV security. Or I work at a high security or some company that has valuable assets, right, okay, how can I make sure in simple steps? Or what do I need to think about, like what is public tracing equipment? What do I need to ask my AV vendor about? And I think, even though you might not have specific answer to that just the fact that if you get that question and the customer then relays that question back to the installer, it's going to get a lot more let's call it in the now right A lot more relevant or people are going to talk about it, so I think it's a bit of an awareness campaign that needs to happen really.
Speaker 2:Absolutely. And the worst thing about this whole thing is awareness has to come from you talking about oh, by the way, that HDMI cord you can actually track its magnet. You can use this machine that tracks the magnetics and you can see the. But it's stuff like that. I guess it starts there, but it's stuff like that. I guess it starts there and then it is. If you look back at the history of attacks that have came through IoT devices, I guess it's always an IoT device. But the TV that's behind this computer or camera right here, that is an IoT device right, oh yeah, Everything is an IoT device.
Speaker 2:So I mean, it's just people. I think security has so much scope creep in their normal life already. They just don't want any more responsibility. They don't have time to talk to any more people, but they unfortunately have to.
Speaker 1:Yeah, there's definitely a scope creep, of course, but I think just being able to listen to people like you and then just going, ah, this is a thing I can think about Not necessarily that it will take responsibility on everything but say, all right, he talked about something like that. Or software updates have I checked that I can update the software? Have I checked that I have a routine for this? All right, so just getting the awareness, I think, is the first step there in this process.
Speaker 2:Well, estan, thank you so much for sharing your knowledge and expertise. Maybe we have to have an episode about the craziest shit that no one's ever heard of, that you know about with your devices.
Speaker 1:Oh, yeah, yeah, absolutely that we can do. That would be fun, that'd be really fun Over a beer.
Speaker 2:Yeah, yeah, yeah, absolutely that. One can do that. That would be fun. That'd be really fun Over a beer. Yeah, yeah, thank you very much, sir, we will talk to you soon. It's been nice. Take care until next time, thank you. Thank you. Well, that's all for today, folks. Thank you for tuning in to the Mnemonic Security Podcast. If you have any concepts or ideas that you'd like us to discuss on future episodes, please feel free to hit me up on LinkedIn or to send us a mail to podcast at mnemonicno. No-transcript.
