Danger! Logic Bombs in Audiovisual Control Systems

So-called Logic Bombs haven’t quite found their way into audiovisual control systems yet, but just wait…The unprepared will suffer.

This article was originally published in Commercial Integrator on July 9, 2019

Logic bombs are a form of malicious code whose effects are purposefully delayed by design. The name “logic bomb” stems from the classic ticking bomb imagery often depicted in James Bond type movies. The logic bomb initially goes unnoticed during its dormant phase, and is triggered by elapsed time, a specific date, or some combination of inputs. Logic bombs are common in computer malware, but haven’t been reported in audiovisual control systems, so you have to use your imagination a little.

Here are a few examples:

  • A logic bomb could be programmed into an AV control system, so that after a projection screen is lowered and raised 100 times, the logic bomb is triggered, and the AV system no longer functions properly.
  • A logic bomb could be set so that it is triggered on a specific date some time in the future.The AV system works fine until July 1, 2020, and then suddenly, it stops working, even if the AV system is rebooted.
  • A logic bomb could also be triggered by a certain combination of inputs.

Let’s say you have a 4-way divide/combine space that is typically separated into 4 rooms, A, B, C and D. The system is tested and works when the rooms are separated or combined into 1. But when you try to divide the rooms into A&B and B&C, it suddenly stops working.

Any permutation of the three examples above could also be combined, making the logic bomb is harder to detect.

Logic bombs in computer systems are often triggered by a certain login. Imagine if every time a particular CEO used a video conference system, it recorded and/or streamed the call to a hidden endpoint.

Who on Earth would do this?

The answer is: anyone with malicious intent.

An external hacker who has infiltrated a business network could replace the audiovisual control system with similar code that includes a logic bomb, which could open a back door for them at a later date, and/or forward logins and other valuable information out through the firewall.

This would make the security breach harder to attribute to a specific IP address or individual.

Another scenario might be a malicious internal attacker. Perhaps an on-prem AV support technician asked for a raise and did not get it.

Once they found a new job elsewhere, the jaded individual could replace the AV control system code with one that included a logic bomb. The logic bomb could be set to go off during a big annual meeting, or gather valuable information that could then be sold to a company’s competitors.

AV integrators could also implement logic bombs to generate unnecessary service calls.

Most AV systems are warrantied for the first year. After a year, the client has an option to continue the service plan on an annual basis. If they don’t have a service plan, the customer has to pay for each service call that is placed.

The best defense against logic bombs are passwords that limit the access to the audiovisual control system code. Any device on the LAN should be locked down using access controls on network switches.

Customers should also demand uncompiled copies of the final AV control system code, and watch the AV integrator upload that code to the AV system at the very end of the project, so they know there are no logic bombs.

LOGIC BOMB in the form of binary code, 3D illustration

If you enjoyed this article, you might like these related posts:

My 3-Tiered Approach to Networked AV Security

Design Principles For Secure AV Systems

Identifying Cyber Attacks, Risks, Vulnerabilities in AV Installations

5 Steps to Better Cyber Risk Management

The Best Data Breach Incident Response Plans Require These Steps

 

Advertisements

My 3-Tiered Approach to Networked AV Security

How should the industry provide a whole culture of networked AV security? It could start with these three steps.

This article was originally published in Commercial Integrator on June 5, 2019

Over the last few years, the audiovisual integration industry has become increasingly more aware of networked AV security concerns, largely due to some vulnerabilities discovered in control system touchscreens and wireless presentation systems. Manufacturers have answered with firmware updates that patch the vulns, and AVIXA released Recommended Practices for Security in Networked AV Systems in July 2018

Despite these efforts, many #AVTweeps are still calling for networked AV security standards and industry leadership. We can’t just sit back and wait for cybersecurity researchers to tell us about the next zero-day vulnerability. We need to take a proactive approach and work together to leverage our knowledge.

So how do we get started?

One idea would be to launch an open group that anyone can join, like the Ad Hoc Committee on Responsible Computing Group, who publishes a regularly updated document called “Moral Responsibility for Computing Artifacts”, more commonly referred to as “The Rules.”

Or we could take a more formal approach and follow the lead of the Payment Card Industry Security Standards Council (PCI-SSC) which is an independent body that was created by major payment card brands.

The PCI-SSC sets the Payment Card Industry Data Security Standard (PCI-DSS).

That approach might work for AV manufacturers, but it might also inadvertently leave out integrators, consultants, distributors, IT professionals, and AV support personnel that work inside of organizations. All of these groups make up the AV industry, and each has their own priorities.

To involve all of these parties while still maintaining some order, I suggest a three-tiered approach:

Cybersecurity Leadership at the Industry Level

At the top tier would be a Cybersecurity Council led by audiovisual industry associations like Avixa and/or NSCA, who would work to develop standards and promote best practices in networked AV security.

The Cybersecurity Council might host annual or bi-annual 1-day or 2-day virtual conferences, where speakers and panel discussions could address market-wide security concerns.

The Council would promote cybersecurity awareness, as well as the adoption of industry-specific cybersecurity frameworks.

Cybersecurity Alliances at the Company Level

At the next tier would be Cybersecurity Alliances, which would be groups of companies that have similar interests and business models.

There could be a Manufacturers’ Alliance, an Integrators’ Alliance, and an End-Users’ Alliance (we will have to think of a better name).

AV consultants and distributors could have their own alliances, or they may fall into one of the other Alliances to keep things simple. The main goal here would be for similar companies to share threat information and strategies, much like the National Cyber Security Alliance (NCSA), who aims to make the internet safer and more secure for everyone.

The Alliances could host quarterly online meetings, but could also alert each other when they are attacked, or when a vulnerability has been discovered, as many AV companies utilize the same OEM technology.

Cybersecurity Teams of Individuals

The third tier would consist of teams of individuals, from any of the above Cybersecurity Alliances, who would focus on specific aspects of cybersecurity.

There could technical teams made up of CIOs, CTOs, programmers, and technicians who focus on recent exploits, risks and vulnerabilities, cloud security, network design, data protection, application development, access controls, forensic analysis, cryptography, incident response, intrusion detection, cyber-physical systems, databases, or web security.

There could also be non-technical teams who would be focused more on laws and regulations, procedures, and policies. They could work together to train employees, update documents, conduct risk and liability assessments, develop industry bug bounty programs, or share ransomware response plans.

The goal of this column is not to dictate what I think should be done, but rather to present a potential framework to use as a basis of discussion. My hope is that individuals within the AV industry will talk to Avixa and/or NSCA at Infocomm or other events, and maybe these ideas will get some traction by 2020.

Hackathons and Cash for Hackers: What the AV Industry Needs

AV, IoT and automation manufacturers need to better understand zero-day vulnerability. Trade show hackathons and cash for hackers should be seriously considered.

This article was originally published on Commercial Integrator on April 1, 2019

In the AV industry, the concept of hackathons at tradeshows or actually paying a hacker to exploit a networked AV product or system is usually relegated to a fun topic of discussion – but perhaps they should be considered far more seriously.

A zero-day vulnerability is one where the manufacturer, vendor, and end-user are not aware of the security risk until after the system has been in use for a period of time.  Often, they are not made aware of the vulnerability until it is exploited by hackers, which is called a zero-day exploit. Zero-day vulns are often considered a software topic, but AV/IoT devices, firmware, and control systems are also at risk.

The zero-day vulnerability timeline goes like this:

  1. Vulnerability is discovered by a black-hat hacker. (More on that term later.)
  2. Vulnerability is exploited, attack is launched, system is hacked, data integrity is breached.
  3. Vendor is made aware of the vulnerability. This day is considered “Day Zero.”
  4. Vendor works on a solution to the vulnerability, this takes some time.
  5. Vendor releases a security update and hopes end-users implement it.

Sometimes the vuln is discovered by a “white-hat” or “grey-hat” researcher, but it is hard to say if these ethical hackers were the first to discover the problem, or if the bad guys have already exploited the vulnerability, and just have not been found out yet.

There are anomaly-based intrusion detection systems that are able to detect some unknown, zero-day exploits, but finding vulnerabilities in IoT and audiovisual devices often takes some smart humans kicking the tires, and picking the locks, so to speak.

What do hackers do when they discover a zero-day vulnerability?

There are three typical tracks:

  1. Full Disclosure – release the details of the vulnerability to the public and vendor simultaneously. This forces the vendor to react quickly, but it also alerts the bad guys of the vulnerability.
  2. Responsible Disclosure – contact the vendor directly about the vulnerability, and give them time to release a patch to their end-users before fully disclosing the vulnerability to the public.
  3. Black Markets and Grey Markets – hackers and researchers sometimes sell their findings to vulnerability exploit brokers, who can then re-sell them to the vendors, nation-states, or competitors. Oftentimes, the hacker does not know who the vulnerability buyer is, or of their intentions. Many are only incentivized by the money and the challenge of finding the bugs.

Some software vendorsonline service providers, and research firms are offering big rewards for zero day vulns.

Let’s Grow Up When It Comes to Cybersecurity

In this writer’s opinion, the AV industry should follow the example set by their big IT brothers and sisters; even if an AV company can’t pay out such large sums of money, there should be some sort of cash incentives for finding security vulnerabilities in AV systems. This could happen on three levels:

  1. At the manufacturer level – offer bug bounties for white-hat hackers who report vulnerabilities.
  2. At the integration level – setup knowledge bases of custom code and configurations, and reward other programmers, engineers, and technicians who can find any vulnerabilities in the systems.
  3. At the user level – reward any employee who raises a security concern about a device or process.

There have been some recent online discussions about setting up “hack-a-thons” at AV-industry trade shows. I think this is a fantastic idea to encourage AV security, reward hackers, and spread awareness.

-Paul Konikowski, CTS-D

If you enjoyed this article, you might like these related posts on PKaudiovisual:

Design Principles For Secure AV Systems

Identifying Cyber Attacks, Risks, Vulnerabilities in AV Installations

5 Steps to Better Cyber Risk Management

The Best Data Breach Incident Response Plans Require These Steps