There’s been quite a shakeup in the wireless collaboration world – it’s a wakeup call, and the AV community should take notice. On May 2nd, Security Week published an article by Edward Kovacs. The article, Many Vulnerabilities Found in Wireless Presentation Devices, describes how researchers at Tenable have discovered 15 security vulnerabilities across eight wireless collaboration systems, including flaws that can be exploited to remotely inject commands and even install software on those units.
This is some very serious stuff and given that, as CTO, I’m in charge of security of our product in the space, you can bet I put a call into Tenable right away. We are not vulnerable to the exploits – but many products are.
I’ve had several emails and IMs directly related to the discovered vulnerability in other products – so I want to first talk about the problem and how it happened. But probably more importantly, I’d like to point out what this means for AV technologies as a whole.
How can the same vulnerabilities be found in eight different systems from different manufacturers? Well, the technical heritage of all of those products can be traced back to the same Taiwanese company Awind. The products have wrapped different features on the core tech and a variety of user-interface polish, but fundamentally they are the same product. All eight systems continue to share code! Some of the vulnerabilities are considered critical and include the ability to obtain unauthorized access to a device, remote exploitation to change admin and moderator passwords, and even cause a denial-of-service (DoS) condition.
So how did this happen?
Most of these companies emerged from the AV space but that shouldn’t be an excuse. AV began to take center stage as a legitimate technology field more than ten years ago as dedicated video began to migrate to traditional digital networks. The convergence of AV/IT has been remarkable – it’s given us consumer video streaming to the home, wireless in the conference room, and amazing experiential environments both at work and play.
But some of these companies don’t take the responsibility of being a network enabled device seriously. I’ve blogged about this in the past, and in light of what just happened, was maybe too circumspect. So I’ll be blunt – when designing a network attached appliance – you must take on a new and unique responsibility – that of the security and stability of your customers’ network. You need to ensure your device is tested often by independent, third-party companies. You have to build fail-safes and monitoring services in concert with cool new features.
Should customers shy away from wireless streaming in the enterprise?
Absolutely not. It’s tempting to listen to companies who encourage you to deploy isolated products (i.e., Barco’s Clickshare often encouraged users to deploy rogue WAPs rather than attach to the network) but that’s an approach that looks backward and isn’t scalable or even maintainable. But customers should hold companies accountable. You put printers on your network and expect them to be secure. You should be able to deploy AV products that are arguably more important to your workplace productivity than printers.
How does Mersive ensure security?
First, it’s an ongoing process. I monitor the NIST database every week. Every release we audit new features in light of how they’ll impact security. In fact, we view security so paramount to our strong customer relationships that we run multiple third-party penetration tests each year. This is not an inexpensive process (both in time and money), but it’s well worth it. These tests help determine our roadmap and security hardening methods. We also share the results from these tests with our customers as we believe transparency is key to ensuring all parties can rely on our ability to provide a stable and secure network-attached device.
If you want to read more about the importance of security in the world of AV, take a look at the post I published just last month, Security in the World of IoT. If you’re developing network-attached products (who isn’t in the AV market?), consider adding a security product manager to your team. If you’re one of the eight companies that appeared in the Tenable report, you probably should not only add a security officer but rethink your approach to security overall.
What should you do if you have some of these products still on your network?
Shut them down until you can validate they no longer exhibit these issues. I’d isolate them and run a port scan to look for the dangerous signature. Also, reach out to our sales team and see if you can swap those products for a Solstice Pod.
We take great pride in everything we do from our deliberate and fastidious code builds to our human-centered UI design. I think our careful approach comes from our academic background, and I hope this comes across in our products.