Digital Signage security is a young topic. At the beginning of the 2000s, there were very few network installations. In addition, larger budgets were necessary for the implementation. In the meantime, digital signage is affordable for small and medium-sized companies. We can select from hundreds of different providers and hardware prices are falling continuously. Digital signage networks have been growing for years. We can now outsource to clouds or SaaS solutions.
Disregarding Digital Signage Security
Decision-makers often forget that digital signage is “only” a networked IT system. In a digital network, we have to face special dangers and attack vectors. In recent years, I have often watched experienced project managers and even programmers put convenience before security. Each time it required lengthy discussions and dramatic examples.
Special Digital Signage Attack Vectors
Our networks offer visual sabotage scenarios in addition to standard attack vectors such as botnets, man-in-the-middle, cross-site scripting, denial-of-service attacks, etc.
Unwanted program changes
At the Union Station in Washington D.C., for example, creative changes were made to the program.
Munich now has a well-known “porn pharmacy”. By the way, the hack was successful because a monitor displayed the Teamviewer access data for remote maintenance. Fortunately, the operator was smart enough to turn the situation into a successful self-mockery PR campaign. (In the German Language)
We can probably smile at these two examples in a distanced manner. However, no one wants to be in the shoes of the responsible service provider or project manager.
In the end, this is the tip of the iceberg, because a publicly performed hardcore porn quickly attracts attention. That’s why feedback and troubleshooting (shutting down) took place promptly. More subtle program changes that are not obvious are far more threatening.
For example wrong information on timetables, fake news, QR codes in the shop window of a boutique that link to the competitor’s shop, etc.
Attack vectors of the “future”
Future digital signage systems will include cameras that are capable of capturing people, recognizing them and evaluating reactions. Surveillance and espionage of trade secrets will be possible without the need for physical intrusion. We cannot even predict many possibilities to exploit technologies illegally in the future today.
But let us turn now to the promised countermeasures.
Access your content management system and everything that has to do with personal access in general, e.g. email only via SSL encryption (Https, Smtps, Imaps etc.).
This is the most effective protection against the so-called “man-in-the-middle attacks”. A MITM is quickly explained. Imagine you are on a business trip and want to check the playlist of a new campaign. This is why you are accessing a public WLAN. Whoever controls the access node (router) is the “man in the middle” and can read your network traffic. The sneaky thing is that everyone can offer a WLAN access node on their smartphone and call it e.g. ” Central Station Free Internet “. While you accidentally connect to the network in good faith, the attacker records all your network traffic. Communicate with your CMS unencrypted, i.e. without SSL/Https, you send your usernames and passwords in plain text. The attacker searches his “recording” and gets your access data. That is not necessary anymore!
Free SSL Certificates
Let’s Encrypt offers certificates for free since about two years. You can install them without email verification. The certificate updates are done automatically. There is, therefore, no reason to offer password-dependent services without encryption. This increases your digital signage security and security-conscious users will be pleased, too.
2. Secure Passwords
Secure passwords have a minimum of 8 digits and contain at least one number, upper and lower case letters and a special character.
A secure password helps against so-called “brute force attacks”. This technique describes attacks in which a software automatically tries through passwords. Powerful computers are capable of testing approximately 1,000,000 passwords per second. An access code with 5 characters can possibly be cracked within an hour.
Crackers (malicious hackers) also use dictionaries. This allows you to find out the names of pets, companions and word combinations such as Darling91 etc. with little effort. So don’t use words that could be found in a dictionary. This also applies to foreign languages. Therefore secure your network-capable media players, your CMS accesses and whatever has to do with your digital signage project with secure passwords.
How to obtain Secure Passwords?
There is a proven way to create complex passwords and memorize them. Form a sentence and take the first letters of it. For example, “Pulp Fiction by Quentin Tarantino from 1994 is one of my favorite movies” becomes “PFbQTf1994ioomfm!”. We receive a 17-digit password, which is indisputably easy to remember for Tarantino fans.
Here another example: From “On my 12th birthday I got my first Dungeon & Dragon board game” we create a 14-digit password named “Om12bIgmfD&Dbg”. Try a little experimentation. I’m sure you’ll find many variations that you’ll memorize pretty fast.
Some security experts recommend changing access codes every 3-6 months. I’m not a fan of too frequent password changes. This creates new risks and does not significantly increase digital signage security. When we force users to change their passwords frequently, they tend to write them on a piece of paper or use them for multiple services. Furthermore, it is probable that the newly selected access code is much similar to the previous one.
I consider a change once a year to be sufficient for critical systems. But make sure you set a new password as soon as you suspect a system corruption.
Last but not least, we have here a Top 25 chart list of the worst passwords since 2011. Use these as throw-away passwords for accesses that are not worth a real keyword. For example, for companies like Adobe, which force a compulsory registration on you, although you only want to download an information brochure. Keep your head clear for the really important codes!
Good passwords are a key factor in significantly enhancing the digital signage security of your network.
3. Be Mistrustful!
A large part of the computer intrusions can be traced back to so-called “social engineering”. With Social Engineering, an attacker utilizes human characteristics and weaknesses to achieve his goal. For example, if someone pretends to be an administrator who wants to fix an urgent problem and asks for your access data. This video impressively demonstrates another social engineering technique.
The woman not only receives the victim’s email from the mobile phone provider but also resets his password. She locks her sacrifice out of his account. For this purpose, she uses a technique called spoofing to contact support with the victim’s fake phone number. The rest is done by her helplessly panic-stricken appearance and a penetratingly screaming baby from a Youtube video.
In principle, be suspicious when it comes to data. Do not share your accesses under any circumstances. Do not allow yourself to be put under pressure. Create extra accounts for your employees, even if it seems more complicated at first. A healthy level of paranoia is appropriate for network systems and good for your digital signage security.
One of your best weapons for Digital Signage security is knowledge and education. Therefore, train your employees and customers. Communicate points 1-3 urgently to all system users. Be prepared to meet resistance at point 2 if necessary. Do not make any compromises at this point. Especially not if you bear the responsibility. Bring drastic examples of companies that make a total fool of themselves by embarrassing shortcomings. In 2011, hackers at sonypictures.com stole millions of customer records. They discovered that Sony did not encrypt many passwords, but stored them in plain text. A password analysis found that only 1% of passwords contained special characters, and 9 out of 10 users also used the passwords in other services. This was also true for many Sony employees.
In April 2018, T-Mobile.at ” shined” with security gaps and plain text passwords.
As a rule, corporate groups can absorb the loss of image and any subsequent claims for damages. Small and medium-sized companies may be ruined as a result.
5. Updates, Update, Updates!
In a previous article, I described the update problem when buying network-compatible media players. Of course, this applies analogously to all software components of your network. Subscribe to maintenance contracts and get detailed information about the update cycles if you buy media players, license a CMS or use a SaaS or cloud solution.
If you offer programming services, always include maintenance costs and quality assurance. Developing a working application is relatively simple. The 50 – 80% of the costs during the entire lifecycle of a software product lies in maintenance and troubleshooting. In the case of SaaS solutions, a continuous development is also obligatory. This increases the lifecycle and thus significantly raises costs again.
Many companies and projects failed because they ignored these rules. That’s why I consistently reject customers, for example, if they don’t want to sign a maintenance contract. Become aware that theoretically anyone in the world can attack Internet software. Without a maintenance contract with regular updates, you are working with a ticking bomb.
Create regular backups of your data and check their consistency from time to time. Even if your service provider takes care of that with a SaaS solution, back up your media yourself. Perhaps you will ask: Why and what do backups have to do with Digital Signage security?
In addition to a system failure, the issue here is protection against so-called ransomware or blackmail Trojans. These are malware programs that encrypt data and thus prevent access to it. The blackmailers then demand a ransom for the decryption. A good backup strategy protects you from this. However, since the encryption may take place over a longer period of time, it can happen that even the backups are affected. Therefore, store your backup separately from the system and check the data regularly.
Monitor your system. There is free software for this, such as Cacti, Nagios, or its fork Icinga. These tools automate the monitoring and alarm at defined values. For example, you can set that you receive an email or SMS as soon as a server hard disk fails in the raid, the system exceeds a certain load for too long, generates excessive traffic, etc. Furthermore, it does not harm to check the log files regularly for suspicious entries. For example, for successful connections from unknown sources.
The Conclusion to Digital Signage Security
One hundred percent security is an illusion, but that’s no reason to fall into a panicky paranoia. If you heed the tips, you are laying the groundwork for solid Digital Signage security. The basic approach is:
The more difficult it is for a potential attacker, the more likely he will focus on less complex targets!
I hope this text is useful for you. If you have any questions or comments, please feel free to contact me.