The security of our AV devices is the leading focus of discussions in the AV industry today. Some are forecasting a future full of security compromises, embarrassments, and even liability claims. Others say that view is an overreaction. They are convinced that our networked devices can be separated and locked down. I believe that if we don’t educate ourselves and practice diligence, the first opinion is eventually more likely to be more correct than the second. In this Byte-Sized Lesson, I’ll elaborate on why I hold this view.
AV devices are evolving quickly. Ten or 15 years ago:
- AV devices were each essentially fixed functions and never needed to be upgraded.
- Almost none (or very few) were connected to an Ethernet/IP network or the Internet.
- You needed to be physically present at an AV device in order to configure or manage the device.
However, today, any or all of these statements could be false about a typical AV device.
Today’s AV systems are more often embedded devices using an embedded operating system (OS). According the IEEE (Institute of Electrical and Electronic Engineers), an embedded system is a computer system built into a larger device that usually has a specialized purpose. Encoders, transcoders, gateways, and signal processors fit this definition nicely. There are two essential components here—the embedded processor and the operating system.
The best way to understand their role is to consider examples. Toshiba, Intel, Analog Devices, and many more companies make embedded devices. One of them, ST Microelectronics, is a multi-billion dollar manufacturer of embedded microcontrollers. Some of these are used in the audio industry. According to Michael Markowitz, their STM-32 microcontroller family has a very large market share with support for several operating systems. They recently added STSAFE-A100, a capability with built-in authentication, secure communication, and key provisioning. Remote communications is secured with TLS (Transport Layer Security), which is used across the computer industry.
There are dozens of embedded operating systems. Just a few of these include Android, Ubuntu Touch, Windows CE, and Yocto Linux. VXWorks, used by AMX, is an embedded OS that is widely used across several industries. It features a full TCP/IP stack, FAT compatible file system (like USB sticks), a firewall, mobile IP, a C+ compiler, and other features commonly found in Windows, Linux and Apple computer systems. Therefore, like any other computer system, it must be configured and managed properly to be secured.
Prysm, a manufacturer of large displays and collaboration solutions, focuses on the security of the content and video that is exchanged among participants. They use AES (Advanced Encryption Standard) which is widely accepted as secure. Paul Harris, of Aurora Multimedia Systems, said that their transceivers are based on commonly available embedded systems. However, Harris suggests that device developers should not follow the embedded system manufacturer’s reference design. That design is often published, making the system more vulnerable.
So, what does this all mean for the AV industry? Most Linux or Linux-derived devices are thought to be lower priority targets for hackers. However, Linux is rapidly growing in popularity. So the target is getting larger. I believe we must:
● Continue to educate ourselves about computer and network security. Our ignorance is the hacker’s best friend.
● Make security of our AV devices a high priority, on par with the security of our PCs and business systems.
● Expect AV device manufacturers to make security a dominant design criterion.
The IT industry is watching development in the AV industry. A spokesperson for Symantec, a leading vendor of IT security products, already has subsections focused on embedded devices in medical, aerospace and industrial control. As the AV industry evolves, you can expect companies like Symantec to appear.
Phil Hippensteel, PhD, teaches information systems at Penn State Harrisburg. He is a regular columnist with AV Technology magazine. Take a class on AV/IT security at an upcoming AV/IT Leadership Summit. Visit www.avitsummit.com for dates and details.