In the AV industry, the end users are typically represented by two separate, yet equally important, groups: the designers, who specify the systems, and the integrators who install them. Our goal is to act as a third party to commission these systems. These are our stories.
AV9000 Checklist Item Under Test: 6.4.6: All network logins and physical-network-security protocols have been determined and verified to meet the client’s and Authority Having Jurisdiction (AHJ)’s network-security best practices and requirements.
Reasoning: There are many reasons that integrators leave the default login credentials on devices. A few of them are as follows:
- Default logins (for example, admin/admin) are easier to remember for all technicians.
- If credentials are lost, it will require resetting the device and losing all its configuration.
- It is the client’s responsibility to manage the device network setting.
All of those have some merit. However, the risk that they create for our clients—not to mention the installers who left those security lapses—is just too high. As designers, we must make sure there is some documented, client-approved device-login strategy. Meanwhile, as installers, we must make sure it is fully implemented.
This Month’s Story
My son is three years older than my daughter is. When my kids were little, we had the house pretty well “baby-proofed.” That included having lockable gates at all the danger spots in the house. It worked beautifully. However, as my son got older and steadier, he didn’t really need all those gates up. My daredevil daughter, however, most definitely did. It got to be somewhat frustrating to have to get up and unlock the gate every time Lucas (the older boy) needed something in the other room; after all, he flew up the stairs with ease.
After a particularly long week (and to give myself a break), I gave in and taught him how to unlock the gates by himself. I also explained how important it was that he close the gate behind him to protect Iris (the little daredevil). I thought I did a great job with the talk, but, apparently, I was mistaken. Not 15 minutes later, the gate was wide open, and he was cackling laughing at his baby sister, who was swinging back and forth on the open gate like a sideways, jungle-gym swing. Naturally, this got me thinking of commissioning AV systems and network-security issues.
Useful Universal Passwords
Many years ago, I remember being terrified about changing the default login and password information for devices. Everyone on the team knew the login, and everyone could access the digital signal processor (DSP)…the controller…the whatever. If the login was lost, the best-case scenario was that you had to factory reset the device and lose all the configuration information. The worst-case scenario was that the device had to be sent back to the manufacturer to be reset. It was intense. This was back when most default logins were admin/admin.
Nowadays, many manufacturers have upgraded their default-password game to at least give each device a unique default password. It might, for example, include some piece of the serial number or media access control (MAC) address. Sometimes, this is required by state or federal law. (Quick side note: Passwords incorporating serial numbers are more secure than those based on MAC addresses. The reason is a device’s MAC address can be sniffed out with a network scanner.) These are huge steps forward. Someone simply snooping around the network would have a hard time guessing login credentials unless they were physically in the room. If they were in the room in front of the device, however, it would be trivial to break through this level of security. As such, it still poses a high network-security risk.
Hurdles In Accessibility
The best solution would be to require that passwords be updated on all devices as often as actual network users are required to make updates. A login change might be required every six months, three months or even as frequently as every month in some organizations. Although, from a security point of view, this is safe, imagine the effort required to change and manage the passwords on all network devices that frequently at scale. Sure, the passwords themselves could be automated. But how would you let technicians around the world know the current passwords when they have to access the equipment, and they must access it securely?
I don’t think there is any perfect solution that balances network security for IT administrators with device accessibility for AV technicians. By their definitions, these concerns contradict each other. The staging-and-commissioning checklists simply require the login for devices meet the client’s and the AHJ’s network-security best practices and requirements. Each client has a unique network-security protocol, and that protocol should never be violated by the AV team. How locked down the client wants its network is up to the client. (Naturally, the client should understand that that decision will affect the ease of servicing and maintaining the AV systems.)
Leaving wide-open security holes on a client’s network can lead to disaster legally, financially and reputationally. It cannot happen. I was lucky that my infant-gate security hole was met only with a monkey-like toddler playing on the gate. It could have been a lot worse. Please make sure to change those default passwords. And, in consultation with your client’s IT department, come up with a process to manage and access those credentials safely and securely. There is simply no other option in today’s network-security-focused corporate world.
To read more from Sound & Communications, click here.