Hackathons and Cash for Hackers: What the AV Industry Needs

AV, IoT and automation manufacturers need to better understand zero-day vulnerability. Trade show hackathons and cash for hackers should be seriously considered.

This article was originally published on Commercial Integrator on April 1, 2019

In the AV industry, the concept of hackathons at tradeshows or actually paying a hacker to exploit a networked AV product or system is usually relegated to a fun topic of discussion – but perhaps they should be considered far more seriously.

A zero-day vulnerability is one where the manufacturer, vendor, and end-user are not aware of the security risk until after the system has been in use for a period of time.  Often, they are not made aware of the vulnerability until it is exploited by hackers, which is called a zero-day exploit. Zero-day vulns are often considered a software topic, but AV/IoT devices, firmware, and control systems are also at risk.

The zero-day vulnerability timeline goes like this:

  1. Vulnerability is discovered by a black-hat hacker. (More on that term later.)
  2. Vulnerability is exploited, attack is launched, system is hacked, data integrity is breached.
  3. Vendor is made aware of the vulnerability. This day is considered “Day Zero.”
  4. Vendor works on a solution to the vulnerability, this takes some time.
  5. Vendor releases a security update and hopes end-users implement it.

Sometimes the vuln is discovered by a “white-hat” or “grey-hat” researcher, but it is hard to say if these ethical hackers were the first to discover the problem, or if the bad guys have already exploited the vulnerability, and just have not been found out yet.

There are anomaly-based intrusion detection systems that are able to detect some unknown, zero-day exploits, but finding vulnerabilities in IoT and audiovisual devices often takes some smart humans kicking the tires, and picking the locks, so to speak.

What do hackers do when they discover a zero-day vulnerability?

There are three typical tracks:

  1. Full Disclosure – release the details of the vulnerability to the public and vendor simultaneously. This forces the vendor to react quickly, but it also alerts the bad guys of the vulnerability.
  2. Responsible Disclosure – contact the vendor directly about the vulnerability, and give them time to release a patch to their end-users before fully disclosing the vulnerability to the public.
  3. Black Markets and Grey Markets – hackers and researchers sometimes sell their findings to vulnerability exploit brokers, who can then re-sell them to the vendors, nation-states, or competitors. Oftentimes, the hacker does not know who the vulnerability buyer is, or of their intentions. Many are only incentivized by the money and the challenge of finding the bugs.

Some software vendorsonline service providers, and research firms are offering big rewards for zero day vulns.

Let’s Grow Up When It Comes to Cybersecurity

In this writer’s opinion, the AV industry should follow the example set by their big IT brothers and sisters; even if an AV company can’t pay out such large sums of money, there should be some sort of cash incentives for finding security vulnerabilities in AV systems. This could happen on three levels:

  1. At the manufacturer level – offer bug bounties for white-hat hackers who report vulnerabilities.
  2. At the integration level – setup knowledge bases of custom code and configurations, and reward other programmers, engineers, and technicians who can find any vulnerabilities in the systems.
  3. At the user level – reward any employee who raises a security concern about a device or process.

There have been some recent online discussions about setting up “hack-a-thons” at AV-industry trade shows. I think this is a fantastic idea to encourage AV security, reward hackers, and spread awareness.

-Paul Konikowski, CTS-D

If you enjoyed this article, you might like these related posts on PKaudiovisual:

Design Principles For Secure AV Systems

Identifying Cyber Attacks, Risks, Vulnerabilities in AV Installations

5 Steps to Better Cyber Risk Management

The Best Data Breach Incident Response Plans Require These Steps

Identifying Cyber Attacks, Risks, Vulnerabilities in AV Installations

Your AV installations ARE incredibly vulnerable to cyber threats. The first step to understanding that is learning these cyber attack terms.

This article was originally written by Paul Konikowski, and published on Commercial Integrator on February 12, 2019

I accidentally started a “tweet storm” in January. I shared a recent blog post by an AV installation technician named Anthony Tippy. In his post, “@Tibbbbz” showcases “how vulnerable audiovisual equipment and AV installations are, in hopes of improving security awareness for companies and manufacturers”. It was pretty shocking to see how many devices he could gain access to online.

Readers may have also heard about the Crestron TSW-XX60 and MC3 vulnerabilities, or “vulns”, uncovered by Ricky “@HeadlessZeke” Lawshae in 2018.

Other vulnerable AV products can be found by searching brands in the NIST National Vulnerability Database as well as the advisories issued by the Industrial Control System-Cyber Emergency Response Team (ICS-CERT).

Most of these vulns can be patched by updating the firmware, securing the network, and/or enabling the passwords on the devices.

But uncovering and patching these device vulnerabilities is only one aspect of securing AV installations. Securing and segmenting the network is another obvious one, and I will leave that topic to the experts.

But just as importantly, it is also imperative for readers to understand the other possible cyber threats, the different types of cyber risks, and other basic terminology used in cybersecurity policy discussions.

One of the best analogies I have heard is, a vulnerability is like a glass window, and a threat is like a rock that can break it.

Continuing on this analogy, a threat actor is the person throwing the rock, and the risk is the cost of replacing the window, as well as anything that was stolen while the window was broken.
There are three areas of risks when it comes to cybersecurity:
1. Business

  • Hackers can steal valuable data and account information. In other cases, the services you provide to your clients may be disrupted, if your communication networks are unavailable.

2. Reputation

  • What comes to your mind when I say Equifax, Target, Sony Pictures, and Yahoo!? Even if companies address their vulns, their reputations, and their stock prices, can suffer.

3. Legal

  • Class action lawsuits and regulatory hearings are not cheap. Some CEOs end up in jail.

Similarly, we can divide cyber threats into four basic categories and provide an example of each:
1. Unintentional External

  • An outside client unknowingly sends an attachment with a virus on it.

2. Unintentional Internal

  • An employee uses an infected USB drive they got at a trade show.

3. Malicious Internal

  • A retiring employee who purposely deletes files on their last day of work.

4. Malicious External

  • Hackers, vandals, terrorists, nation-states, or even business competitors.

More Valuable Cyber Attack Terms

An attack surface is basically all of the exploitable vulnerabilities in AV installations, including open ports on servers, applications both outside and inside of the firewall, and any software that processes incoming data, email, and attachments.

It also includes humans who may be prone to errors, or social engineering. Adding new types of AV devices to an organization’s ecosystem is said to increase the cyberattack surface area.

An attack vector, Victor, is the exact means or the path within the surface area that a hacker uses gain access to a computer or network server. Attack vectors enable hackers to exploit a system’s vulnerabilities, including the human element.

For example, if I call a website, or your corporate IT helpdesk, and I ask them to reset a password, will they bother to verify I am actually who I say that I am?

Attack vectors can be easily confused with an attacker’s capabilities, which are the collection of various methods and skills he or she can use to launch an attack.

The difference here is that capabilities describe the attacker, whereas attack surfaces and vectors are about a particular victim and attack.

Going back to the broken window analogy, capabilities are something the threat actor would carry with them, like a backpack full of rocks, a crossbow, and a BB gun.

They may chose different ones for different houses, or they may use similar attack vectors, depending on the attack surfaces, or vulnerabilities, of each house.

Now that we’ve covered the basic terminology, I invite readers to join in the next AV security tweet storm, forecast for February 17, during the weekly #AVinTheAM chat.

It’s easy to participate, just get on the Twitter anytime after 8am Eastern on any given Sunday, and search the hashtag #AVinTheAM.

If you enjoyed this article, you might like these related posts on PKaudiovisual:

5 Steps to Better Cyber Risk Management

The Best Data Breach Incident Response Plans Require These Steps

Proofpoint ($PFPT) Releases Solution To Detect and Respond To Compromised Microsoft Office 365 Accounts

5 Steps to Better Cyber Risk Management

This article was originally written by Paul Konikowski, and published on Commercial Integrator on January 15, 2019

Does your company accept credit card payments?  Does your human resource department keep records of the employees’ personal data? What about third-party vendors that handle payroll, or even the folks who take the garbage out? Nearly everyone has a camera on their smart phone these days.

So, before you can protect the data of your clients and design secure audiovisual systems, you should look first at your own company’s cyber risk management framework.

There is no single cyber risk management approach that will stop all cyber crime; it varies per industry. But generally speaking, there are five elements that are common in successful cyber risk management:

  1. Start with a proper cybersecurity framework, which provide a structure for ensuring your “CIA”:
    1. Confidentiality of sensitive data – restricting access to who can view the data
    2. Integrity of the systems – controlling who can write or change or delete data
    3. Availability – ensuring that systems are up and running when they are needed

There are a number of cybersecurity frameworks readily available; the most relevant to audiovisual systems contractors are the ISO/IEC Security Control Standards, the FCC Cyber Security Planning Guide, and the NIST (National Institute of Standards and Technology) Cybersecurity Framework, which has been widely adopted across many industries.

  1. Implement a balanced distribution of responsibility. Many users think that cybersecurity is the responsibility of the IT department, but it is really everyone’s responsibility. Anyone with email access can be susceptible to a “phishing” scam where they inadvertently click a malicious link or attachment. Executives must understand the risks and their responsibilities.
  2. Take a holistic approach to security. Consider not only technical factors, but human and physical factors. It is important that companies equip their employees with the right tools to recognize phishing email and malware, or even bad actors within their organization. Develop a company culture of cyber-awareness, and provide adequate training to all users. Reward users for raising security concerns. Minimize physical access to equipment using access controls.
  3. Develop a thorough and ongoing risk assessment process. The first step is to identify and categorize your assets, including digital assets and intellectual property (IP). Next, identify the threats to your organization, which could be external, like a hacker locking up your systems using ransom ware, or someone stealing credit card or personal informational, or a hacktivist who doesn’t agree with your company’s values. Maybe a competitor wants to shut you down for a week and ruin your reputation? But there could also be internal threats: users who might accidentally delete files, or malicious employees who try to steal your trade secrets. Assume you just hired the next Edward Snowden. Consider a third party who can test and assess your systems and vulnerabilities. Like humans, most companies cannot recognize their own faults.
  4. Everyone in the organization needs to know what to do when a threat has been detected. We talked about Incident Response Plans in greater detail last month.

By developing and maintaining a cyber risk management approach for technicians, you can minimize the cyber threats and resulting impacts to your organization. You will also be prepared when your clients ask you for a copy of your cybersecurity policy or risk mitigation plan (and they will!)

If you enjoyed this article, you might like these related posts:

The Best Data Breach Incident Response Plans Require These Steps

Proofpoint ($PFPT) Releases Solution To Detect and Respond To Compromised Microsoft Office 365 Accounts