Sometimes, it takes a shocking incident to alert us to the vulnerabilities of our digital networks. By now, you’ve probably heard or read about the hacked transit signage network that resulted in the streaming of pornographic video on a large display at Union Station, in Washington DC, last May. While the network operator and partners investigate where and how the security breach occurred, it would be prudent for all involved in the digital signage industry to review the security measures in place for the systems they oversee.
Security risks for signage systems can extend beyond the embarrassment of inappropriate content and the loss of advertising revenue. Risk factors range from points of device connectivity and cloud-hosted software to human processes. Unless network and data security are made a top priority from the planning stages right through to day-to-day operations, it will be very easy for unauthorized content to be displayed on any screen at any time.
At most educational institutions, digital signage displays are used for broadcasting emergency notifications; that means malicious disruptions can adversely affect the safety of students, staff and visitors. Additionally, analytical data gathered by the system can have great value and, therefore, it could present an attractive target for industrial espionage. Although preventing the display of unapproved content is of primary concern, it’s also important to protect the digital property of signage system stakeholders. “Securing video analytics data must be a constant priority, not a periodic responsibility,” a whitepaper, “Securing the Integrity of Video Analytics Data,” released by research firm Parks Associates, stated.
It’s critical that network security be part of the planning process at the earliest stage.
If all this seems daunting to you, it’s important to remember that, as a designer, integrator or system manager, you don’t have to address these issues on your own. Whether the intention is to contract network management to a service provider, a consultant or the IT department of a stakeholder on the team, it’s critical that network security be part of the planning process at the earliest stage.
The physical design of the system, including the choice of media players and other hardware, as well as content-management software, can have a profound effect on a signage network. Security breaches can occur at any point—from display, to server and router, to human process touch points—but design, integration and management best practices can minimize the risk.
Starting with the screen itself, disruptive content can be inserted via HDMI, USB, memory card or other direct inputs. Making sure that the inputs are physically secure is a first step in protecting signage. Disabling IR control is also important to avoid illicit switching of inputs. If the displays are “smart TVs,” internal Wi-Fi connectivity might also have to be effectively disabled.
Media players are another weak point in the signage security picture. In some installations, inserting unsanctioned content can be as easy as slipping a thumb drive or an SD card into an exposed player. Some networked players, such as generic Android-based units, might be particularly vulnerable to hacking. Recently, Google patched more than 1,000 Android vulnerabilities, some of them involving mobile access. Whenever possible, players should be secured from local access and control. Additionally, networked players should have their operating and security software frequently updated by the system administrator.
The fact that many screens are not monitored on a regular basis, use wireless connections and offer interactive access to the public makes them tempting targets for intrusion. The integration of IP-connected devices and mobile interactivity has further elevated the need for stringent security on digital signage networks. Interactive functions should be thoroughly tested to make sure they cannot be used to display unauthorized content. That being said, it’s also important to assure that access procedures are not so complex or tedious that customers avoid using these features altogether.
Hackers can also hijack your system if your network connections or servers are not secure. And, although cloud-hosted software offers several advantages, if media bridges are not properly secured, the system is very vulnerable to attacks. Ultimately, if your security policies, procedures and training are not effective, you might as well publish your passwords on the internet. But even when bulletproof software and hardware security are in place, signage systems are still easy targets for intrusion through what is termed “human engineering.” That tactic involves attacking the system through interaction with potentially undertrained personnel, such as administrative assistants and temporary employees. It can take the form of a phishing email or even a phone call from someone impersonating “Phil from Accounting,” who has misplaced the new system password. To combat con artists such as these, it’s important that every employee with access to the system—even an intern assigned to update PowerPoint presentations or event schedules—is thoroughly trained and impressed with the importance of sticking to approved procedures.
There is no one-size-fits-all security solution for digital signage, so it’s best to learn about the different ways that your counterparts are addressing security issues, and then get expert assistance if you have any doubts. Check out the Viewpoint article, “Security & Privacy Concerns,” in the Fall 2016 edition of IT/AV Report. Another excellent roundup of expert opinion on signage security can be found at www.digitalsignageconnection.com/ask-board-network-security-maintenance.