Wireless Security: Patching exploits

A recent security flaw found across eight different wireless presentation systems could prove to be a watershed moment for the AV industry. Paul Milligan reports.

Security has always been important in the AV world. Manufacturers have always been fiercely protective of any trademarked technology leaking, and clients are just as protective of unauthorised access from rival firms keen on garnering trade secrets.

Right now, security means fighting unauthorised hacks and cybercrime. Providing security across global networks is something the IT world has become accustomed to for decades now. As the AV world is increasingly morphing into the AV over IP world the need for AV hardware and software to be secure across IP networks has also risen. The growing desire of end users to move towards wireless technology, including the huge rise in wireless presentation devices such as Barco’s ClickShare and Crestron’s AirMedia, has further heightened the importance of security.

The issue of wireless security came into sharp relief this summer when a report by cybersecurity firm Tenable was published highlighting 15 vulnerabilities across eight wireless presentation systems. The vulnerabilities included flaws that could be exploited to remotely hack devices.

The companies affected included some of the biggest names in pro AV; Barco, Crestron and Extron. The security flaws were discovered by Tenable during analysis of Crestron’s AirMedia AM-100 and AM-101 products. However, it then became apparent that a host of other devices from other manufacturers shared the same code. The 15 security flaws found also impacted the Barco WePresent, Extron ShareLink, InFocus LiteShow, TEQ AV IT WIPS710, Sharp PN-L703WA, Optoma WPS-Pro, Blackbox HD WPS. The code appears to have originated from AWIND and its WePresent product [WePresent was bought by Barco in 2012].

Jacob Baines, the writer of the original Tenable blog post outlining the flaw says he discovered Crestron had patched a backdoor in the AM-100 that had been previously found and patched in a Barco WePresent WiPG-1000. In his research Baines found this was not an isolated problem and discovered more than 100 different universities in North America had these devices exposed to the internet. Another issue Baines found was that even though some manufacturers had released firmware addressing these issues, the most up-to date version of the Crestron patch (1.6.0.2) was only installed in less than 20% of AM-100 devices he scanned.

Baines said: “The AM-101 situation is even worse. Less than 18% have the most recent firmware.”

He said: “What have we seen here? A resold platform that has different levels of patching across different vendors. Slow patch deployment amongst the user base. Difficult to obtain firmware. Installations that expose the devices to the internet. And, finally, poor software development practices that left all the devices open to unauthenticated remote code execution.”

To find out their side of events, and what the legacy of this incident might be, we spoke to three of biggest companies involved – Barco, Crestron and Extron.

First of all, could they have responded quicker to the situation?

Rainer Stiehl, VP of marketing for Europe at Extron, says: “There’s always a lesson to be learned. For us, one of the things that that we did, prior to this disclosure becoming public, was the development of our ShareLink Pro platform, which differs from the ShareLink 250 series identified in that article. We really took a different engineering approach to the Pro version of the product, and one of the benefits is better control over these types of situations.”

Time will tell whether this was an isolated incident or not, but from speaking to Extron, Crestron and Barco, it is clear all three took this situation very seriously.

John Pavlik, senior director system engineering at Crestron, says: “We learned a lot from this, and from the changes in the cybersecurity world that have been happening since the release of the original AirMedia AM-100 product in 2013.”

He continues: “We now have a team of dedicated security researchers that devote their time to poking holes in our own products long before they reach the public. Besides our own security team, we have also engaged with outside researchers to further test our own testers.”

In the original Tenable blog one point made by Baines is that “poor software development practices left all the devices open to unauthenticated remote code execution”, but is that a fair claim?

The blame for a lot of this situation is falling on the original AWIND code. David Martens, product security architect at Barco, says: “In those days, security and security vulnerabilities and security testing was less mature, so those vulnerabilities were always there in that code base. This is code which was used in most cases in products that have reached end of life.”

Was it “poor software development practices” at work?

Stiehl says: “When you have developers who aren’t part of your organisation, you lose a little bit of that control, and that was one of the big motivations for us to move to the introduction of the Pro series.”

This issue grew as the platform was resold to different vendors, so going forward would the companies involved be looking to create their own bespoke coding more often?

Yes, says Stiehl: “When you’re working with a third-party group, the timelines of those resolutions become a challenge. That’s one of the reasons we brought a lot of engineering expertise in-house.”

Barco’s Martens makes the point that it’s quite common to reuse components from other companies, and it is frequently done. The difference is the current climate we live in. Martens says: “Ten years ago we would perform some functional testing on a source code base or a product or component that you wanted to integrate, we were not thinking about security. Today that’s totally different. In those times there was a huge focus on functionality, but there was absolutely no focus on security. That’s a lesson to be learnt, today if you integrate components from a third-party company or partner, after functional testing, security is also a very important task to take on.”

Security is an issue of control says Stiehl: “We saw wireless presentation capabilities as a key technology that we needed to have in-house. We wanted to be able to have control over that technology, the same way that we do with things like our scaling technology, our AV over IP technology etc. As things change in the security landscape, we’re able to be more responsive.”

The growing use of wireless presentation systems inevitably means they will be more exposed says Martens: “The more popular they become, the more exposed they become, and the more visible they are to hackers. There’s nothing wrong with that, but you must be aware of it.”

The issue is with the internet at large adds Stiehl: “As soon as you post something on the network, it becomes a much larger threat.”

Is this issue something that we as users just have to accept as part of modern working life now? Martens says: “The people who design a product are human, so they will make mistakes and errors.”

Instead, get as much information as you can to protect yourself. Martens adds: “If you are choosing a wireless presentation system you must at least verify who is the owner of the product, who created the product, and how they deal with security. Those are signs that the company who is creating the product is taking security seriously.”

Considering the effects can be hugely disruptive to your business, should we be asking manufacturers to be more vigilant in patching vulnerabilities? All three companies we spoke to now have teams in places to handle vulnerabilities and flaws.

Pavlik says: “We are working on two fronts: before we release a product, it is heavily tested by a team of dedicated security researchers. Once a product is released, everybody can easily report potential vulnerabilities that were overlooked through the form on our website dedicated to security.”

Security is a huge issue, but let’s not forget these are businesses we are talking about, and if sales are being hit, you can bet there will be a reaction. Stiehl adds: “We have a responsibility to deliver products that are secure. If we aren’t the ones doing it, then the end user is going to demand secure products elsewhere, and we certainly don’t want that to happen.”

One of the issues raised by Tenable was slow patch deployment among the user base. We have talked about manufacturer’s responsibilities, but do end users have to be more vigilant in making sure the latest versions are installed?

Martens says: “The end user in most cases is not even aware, and that’s a huge problem. They buy a product that works and they never think of updating because it works like it should.”

Updating software fixes is something we should all be better at says Stiehl: “I think the AV market trails the IT market a little bit in the sophistication of patch management. But I think that’s something we’re going to see within the AV side of things in the future, we will have more active patch management, whether that’s something the IT groups layer over AV products or something that the AV vendors provide themselves.”

It’s clear a great responsibility lies with manufacturers on security issues. Speaking to the three big names involved here, it’s obvious they take security seriously, they’d be crazy not to. They all now have security teams in place to hunt for flaws before the product is even released. If there is still a problem in software released out into the market they have teams to fix the problems as quick as they can. The ability for users to easily report issues is a key one here.

Some products will be used in a way out in the field that the manufacturers will have never imagined. We do trail the IT world in fixing software problems, but only because they have had decades of experience doing this, and security flaws are a far bigger problem in the IT world than in ours.

Being concerned about security is a sensible way to go about life, but the numbers of issues in the AV world are luckily quite small, as this final quote from Extron’s Stiehl highlights: “Look at the CVE (Common Vulnerabilities and Exposures) numbers. At the time of the disclosure, there were almost 4,000 logged vulnerabilities in the CVE database. If 15 of those 4,000 vulnerabilities apply to the AV industry, then percentage- wise we’re doing all right.”

Article Categories