Decision makers sometimes forget that digital signage is "just" a networked IT system. In a client/server system, we have to face special dangers and attack vectors. In recent years, I have often seen even experienced project managers put convenience before security. Each time, it required lengthy explanations and dramatic examples.
Digital signage security is a relatively young topic. In the early 2000s, there were hardly any network installations. In addition, larger budgets were necessary for implementation. Meanwhile, digital signage is affordable for small and medium-sized businesses. We can choose from hundreds of different vendors and hardware prices are continuously dropping. Digital signage networks have been growing for years and we now often outsource to SaaS solutions.
Digital signage networks offer an additional visual sabotage scenario to the standard attack vectors, such as botnet membership, man-in-the-middle espionage, cross-site scripting, denial-of-service attacks, and so on. This consists in unwanted program modifications.
At the Union Station in Washington D.C., for example,
creative changes
were made to the program.
Munich now has a well-known
https://www.thelocal.de/20160930/munich-pharmacys-nighttime-porno-show-draws-crowd/
“porn pharmacy”.
By the way, the hack was successful because a monitor displayed the Teamviewer access data for remote maintenance. Fortunately, the operator was smart
enough to turn the situation into a successful self-mockery PR campaign.
(In the German Language)
We can probably smile at these two examples in a distanced manner. However, no one wants to be in the shoes of the responsible service provider or project manager.
Ultimately, this is the tip of the iceberg, because hardcore porn performed in public quickly attracts attention. That's why the feedback and problem-solving (shutdown) was prompt. More subtle program changes that don't obviously catch the eye are far more threatening.
I consider false information on timetables, fake news or QR codes in the window of a boutique that link to the competitor's store as far more dangerous. They often go unnoticed by the owners, but damage the image in the long term.
Future digital signage systems will include cameras that are able to capture people, recognize them and evaluate their reactions. A hacker uses these cameras to spy on business secrets without physically breaking in or for observation. We cannot even foresee today many possibilities to exploit technologies in the future in an illegal way. Ransomware was also unknown 20 years ago.
But let us turn now to the promised countermeasures to improve your Digital Signage.
Access your content management system and everything that has to do with personal access in general, e.g. email only via SSL encryption (Https, Smtps, Imaps etc.).
This is the most effective protection against the so-called “man-in-the-middle attacks”. A MITM is quickly explained. Imagine you are on a business trip and want to check the playlist of a new campaign. This is why you are accessing a public WLAN. Whoever controls the access node (router) is the “man in the middle” and can read your network traffic.
The sneaky thing is that everyone can offer a WLAN access node on their smartphone and call it e.g. ” Central Station Free Internet “. While you accidentally connect to the network in good faith, the attacker records all your network traffic. Communicate with your CMS unencrypted, i.e. without SSL/Https, you send your usernames and passwords in plain text. The attacker searches his “recording” and gets your access data. That is not necessary anymore!
Let‘s Encrypt offers certificates for free since about two years. You can install them without email verification. The certificate updates are done automatically. There is, therefore, no reason to offer password-dependent services without encryption. This increases your digital signage security and security-conscious users will be pleased, too.
Secure passwords have a minimum of 8 digits and contain at least one number, upper and lower case letters and a special character.
A secure password helps against so-called “brute force attacks”. This technique describes attacks in which a software automatically tries through passwords. Powerful computers are capable of testing approximately 1,000,000 passwords per second. An access code with 5 characters can possibly be cracked within an hour.
Crackers (malicious hackers) also use dictionaries. This allows you to find out the names of pets, companions and word combinations such as Darling91 etc. with little effort. So don’t use words that could be found in a dictionary. This also applies to foreign languages. Therefore secure your network-capable media players, your CMS accesses and whatever has to do with your digital signage project with secure passwords.
There is a proven way to create complex passwords and memorize them. Form a sentence and take the first letters of it. For example, “Pulp Fiction by Quentin Tarantino from 1994 is one of my favorite movies” becomes “PFbQTf1994ioomfm!”. We receive a 17-digit password, which is indisputably easy to remember for Tarantino fans.
Here another example: From “On my 12th birthday I got my first Dungeon & Dragon board game” we create a 14-digit password named “Om12bIgmfD&Dbg”. Try a little experimentation. I’m sure you’ll find many variations that you’ll memorize pretty fast.
Some security experts recommend changing access codes every 3-6 months. I’m not a fan of too frequent password changes. This creates new risks and does not significantly increase digital signage security. When we force users to change their passwords frequently, they tend to write them on a piece of paper or use them for multiple services. Furthermore, it is probable that the newly selected access code is much similar to the previous one.
I consider a change once a year to be sufficient for critical systems. But make sure you set a new password as soon as you suspect a system corruption.
Last but not least, we have here aTop 25 Chartliste list of the worst passwords since 2011. Use these as throw-away passwords for accesses that are not worth a real keyword. For example, for companies like Adobe, which force a compulsory registration on you, although you only want to download an information brochure. Keep your head clear for the really important codes!
Good passwords are a key factor in significantly enhancing the digital signage security of your network.
A large part of the computer intrusions can be traced back to so-called “social engineering”. With Social Engineering, an attacker utilizes human characteristics and weaknesses to achieve his goal. For example, if someone pretends to be an administrator who wants to fix an urgent problem and asks for your access data. This video impressively demonstrates another social engineering technique.
The woman not only receives the victim’s email from the mobile phone provider but also resets his password. She locks her sacrifice out of his account. For this purpose, she uses a technique called spoofing to contact support with the victim’s fake phone number. The rest is done by her helplessly panic-stricken appearance and a penetratingly screaming baby from a Youtube video.
In principle, be suspicious when it comes to data. Do not share your accesses under any circumstances. Do not allow yourself to be put under pressure. Create extra accounts for your employees, even if it seems more complicated at first. A healthy level of paranoia is appropriate for network systems and good for your digital signage security.
One of your best weapons for Digital Signage security is knowledge and education. Therefore, train your employees and customers.
Communicate points 1-3 urgently to all system users. Be prepared to meet resistance at point 2 if necessary. Do not make any compromises at this point. SBe aware of one thing:
At the end of the day you are responsible!
Bring drastic examples of companies that make a total fool of themselves by embarrassing shortcomings. In 2011, hackers at sonypictures.com stole millions of customer records. They discovered that Sony did not encrypt many passwords, but stored them in plain text. A password analysis found that only 1% of passwords contained special characters, and 9 out of 10 users also used the passwords in other services. This was also true for many Sony employees.
In April 2018, T-Mobile.at ” shined” with security gaps and Klartextkennwörtern
As a rule, corporate groups can absorb the loss of image and any subsequent claims for damages. Small and medium-sized companies may be ruined as a result.
The article Digital Signage with Linux described the update problem when buying network-compatible media players. . Of course, this applies analogously to all software components of your network. Subscribe to maintenance contracts and get detailed information about the update cycles if you buy media players, license a CMS or use a SaaS or cloud solution.
If you offer programming services, always include maintenance costs and quality assurance. Developing a working application is relatively simple. The 50 – 80% of the costs during the entire lifecycle of a software product lies in maintenance and troubleshooting. In the case of SaaS solutions, a continuous development is also obligatory. This increases the lifecycle and thus significantly raises costs again.
Many companies and projects failed because they ignored these rules. That’s why I consistently reject customers, for example, if they don’t want to sign a maintenance contract. Become aware that theoretically anyone in the world can attack Internet software. Without a maintenance contract with regular updates, you are working with a ticking bomb.
No one wants to see porn or false information on his digital advertising space.
Create regular backups of your data and check their consistency from time to time. Even if your service provider takes care of that with a SaaS solution, back up your media yourself. Perhaps you will ask: Why and what do backups have to do with Digital Signage security?
In addition to a system failure, the issue here is protection against so-called ransomware or blackmail Trojans. These are malware programs that encrypt data and thus prevent access to it. The blackmailers then demand a ransom for the decryption. A good backup strategy protects you from this. However, since the encryption may take place over a longer period of time, it can happen that even the backups are affected. Therefore, store your backup separately from the system and check the data regularly.
Monitor your system. There is free software for this, such as Cacti, Nagios, or its fork Icinga. These tools automate the monitoring and alarm at defined values. For example, you can set that you receive an email or SMS as soon as a server hard disk fails in the raid, the system exceeds a certain load for too long, generates excessive traffic, etc. Furthermore, it does not harm to check the log files regularly for suspicious entries. For example, for successful connections from unknown sources.
It is incredibly embarrassing when the prestigious Video Wall suddenly displays a defacement or porn.
One hundred percent security is an illusion, but that’s no reason to fall into a panicky paranoia. If you heed the tips, you are laying the groundwork for solid Digital Signage security. The basic approach is:
The more difficult it is for a potential attacker, the more likely he will focus on less complex targets!
I hope this text is useful for you. If you have any questions or comments, please feel free to contact me.
Germany
☎ +49 (0) 511 - 96 499 560
Local court Hanover
HRB 221981
VAT-Id: DE 281 780 194