A number of years ago we began to see corporate AV systems using WiFi control for a number of their components.
During our Cyber TSCM wifi inspections we often find unsecured routers appearing in conference room AV racks. These routers are not usually connected to the corporate network. That may be why the installers did not think it was necessary to secure them, even though the routers have encryption capability.
If it’s not on the corporate network, there is no risk of data loss, right?
Wrong, that could be a dangerous assumption.
In fact, in spite of however strict the IT security policies may be, the IT department may not even be aware of their existence.
While a hacker may not gain access to terabytes of corporate data this way, they still could slip in to monitor or disrupt activities in the boardroom and create havoc by shutting down or interfering with presentations.
Barco CSC-1 ClickShare system, wifi video projection.
If you are using wireless projection systems, we advise checking with the manufacturer to see what effort they made to secure their signals. We recently looked at the ClickShare projection system by Barco. ClickShare uses USB dongles “buttons” that transmit video content from presenter’s pc’s over wifi to the base unit that connects to the projector or screen. While using wifi as it’s means of transmission, Barco has taken steps to see that their projected images are as secure as possible, encrypting images before sending, and then encrypting the wifi signals as well. They have a whitepaper describing their security considerations. See if your equipment providers can supply such information. Read Barco’s whitepaper Even if your vendor does have security on their mind, there still could be problems. Recently, security researchers at SEC Consult discovered a backdoor programmed in popular AMX conference control systems. See [SEC Consult blog post] and [CNN Money report]. Due to situations like this, you want to keep on top of your conference systems to be sure they have the the latest security related updates, just as your IT department should be doing for your computers. Although they have taken security seriously, even Barco describes potential system abuse in their whitepaper: “It is possible to abuse the system by pairing a Button with the Base Unit in the meeting room before the meeting starts, or connecting and sharing with the mobile app, in order to show unwanted content from outside the meeting room (within Wi-Fi range)… Every Button that shares content with the Base Unit does reveal its user on the central screen (the name of the user as read from the operating system configuration). Any user showing unwanted content must be in the vicinity of the Base Unit and can easily be traced. Such abuse can also easily be thwarted by resetting the WPA2 password in the administration interface at the beginning of a critical meeting, then pairing only the Buttons present in the meeting room and providing the password only to the mobile-app users participating in the meeting.” An information security attack could come from hackers miles away, or it could also come from someone sitting in the next room, down the hall, or on a nearby floor in your building. All avenues should be considered and protected.