Chroma Systems — Audio Visual Consultants Vancouver

View Original

Is It Hard To Hack An AV System? (2023 Update)

Updated August 1, 2023 | Reviewed by Sam Scott

In 2016, IT security expert Mikko Hypponen discovered that he could find and take control of insecure industrial control devices with a simple web search.

Our principal consultant, Sam Scott, proved the same was true for AV systems. Using the Shodan search engine, he found multiple Internet-connected devices that could be accessed and controlled via telnet. From teleconferencing systems to lighting controllers and even digital thermostats, there was no shortage of residential and commercial AV systems that could be quickly and easily compromised.

It’s been seven years since then, and audiovisual technology has fundamentally changed how we work and how we learn. So, what is the state of AV system security today?

With more than 16.7 billion connected devices worldwide, security remains a challenge. Many of these devices are left unprotected, putting both individuals and businesses at risk. But it's not all bad news: leading AV manufacturers like Crestron Electronics have made great strides in patching vulnerabilities and improving device security.’

In this piece, we'll unpack the basics of an AV system attack, provide some current examples of commercial and consumer system security, and offer actionable tips to protect AV devices no matter how or where they connect.

The Anatomy Of An AV Hack

So how do AV hacks happen? As evidenced by Scott's work in 2016, they're often as easy as 1-2-3.

1) Search the Web for Devices and Systems

First, attackers can use a search engine like Shodan to discover AV devices that are connected to the Internet.

2) Filter These Devices by Port

Next, hackers filter these devices by port. For example, port 23 is commonly used for remote telnet connections.

3) Connect via Telnet

Finally, malicious actors attempt to connect via telnet and open a command prompt. If successful, this provides full access to the device in question.

This is the reality for many connected devices and systems. If attackers can connect to unsecured AV technologies, they may gain full access to whatever functions are controlled by that device and those that share the device’s network. 

When this happens, it can lead to a range of consequences. Unauthorized parties could gain control over your lights and sound systems, which can be quite unsettling! If they access a microphone or camera, your privacy becomes jeopardized. Further, sophisticated attackers, once settled into a corporate AV network, can find ways to move laterally across networks and gain access to sensitive information.

Disclaimer: Hacking is illegal! Don't do it.

AV Hack Attacks: Touch And Go

Consider an example from 2018, when offensive security researcher Ricky Lawshae discovered that touchscreens made by AV device manufacturer Crestron Electronics could be hacked, making it possible for attackers to spy on meetings or infiltrate hotel rooms.

Crestron devices are used by companies, airports, stadiums, and local governments worldwide — though the affected touchscreen devices are largely peripheral. They are designed to support other systems and improve the user experience via a custom control interface.

In 2018, while Crestron devices did have authentication and other security measures in place, many had these features turned off by default. This meant that unless an IT team or AV integrator sought out these settings and enabled them, they were prone to unauthorized access.

Crestron quickly issued a firmware update to resolve this vulnerability, but the onus still fell on proactive users or technicians to apply the update. Commercial AV devices don’t receive automatic updates like phones. This is because version control is very important to inter-device compatibility; an unmonitored update could cause some components of your AV system to stop communicating with others.

And so, the larger issue remains: many AV devices are seen as peripheral systems. They are not front-and-center, they don’t always receive an appropriate degree of cybersecurity scrutiny, and they present a significant threat to overall network security as potential entry points for malicious actors.

Wall-mounted control touchpanels are peripheral devices that may present unsecured entry points to those seeking AV network access.

Current Security Challenges In The Commercial AV Space

The rapid uptake of cloud, mobile, and IoT technologies has its benefits, including increased flexibility for the workforce, lower barriers to IT initiatives, overall scalability, and numerous cost efficiencies.

But there are also drawbacks to the profoundly interconnected world we now find ourselves in. From a cybersecurity standpoint, device visibility is a growing challenge. The sheer number of connected AV devices on corporate networks creates a massive attack surface for hackers to probe for vulnerabilities.

Internet-facing webcams and microphones are ripe for potential compromise. When it comes to webcams, studies have found that the vast majority of these devices are not behind firewalls or virtual private networks (VPNs). If the devices themselves do not contain security controls — or if those controls are inactive — attackers can gain visibility into meetings or private conversations, collecting data that can be used to compromise corporate networks.

Meanwhile, mobile device applications rank as some of the most common targets for compromise. This is because each app added to a device also adds a potential back door for attackers. And while there are mechanisms in place to let users know when cameras or microphones are active, sophisticated attackers may find their way in through insecure applications where they can hear or record conversations. External webcams with built-in microphones are particularly susceptible. While many have indicators that will light when the camera is in use, that functionality does not always extend to the mic.

Taken together with the benefits of distributed AV technology, these vulnerabilities create a potential paradox for businesses. Organizations must consider their risk appetite and take steps to reduce exposure to security threats as they integrate new systems and policies.


Are you seeking to enhance your organization’s hybrid work capabilities but are unsure about the risks? We can help. Contact us today to book a call with a commercial AV expert.

AV Security Issues Outside The Commercial Space

Of course, AV device security doesn’t just pertain to commercial systems.

In 2019, the FBI issued a warning about smart TVs, noting that manufacturers and developers had the ability to watch and listen to users. And in 2020, hundreds of home security system users discovered that a former installation technician had been watching them in their homes.

But while the idea of hackers watching and listening to us through our devices is unsettling, cybersecurity and IT experts such as Toby Lewis and Burton Kelso suggest this sort of audiovisual device hacking is on the decline. The far more desirable and likely target for cybercriminals is our personal and otherwise sensitive information — and compromised smart device apps can provide access to treasure troves of such data.

Other recent targets include in-vehicle infotainment (IVI) and emergency alert systems. In 2021, hackers claim to have compromised the Hyundai Ionic IVI system, enabling it to run custom applications. Hyundai went back to the drawing board and updated its IVI. Then, while the new version offered more protection than its predecessor, hackers allegedly discovered the decryption keys for encrypted ZIP files that were stored in older firmware. Further, the IVI’s code update functions didn't always verify signatures, allowing attackers to install unsigned code.

Meanwhile, in Britain, reports emerged that the country's emergency alert system could be hacked using less than $1,500 worth of equipment and a simple video tutorial. By using a low-cost laptop and transmitter, attackers discovered it was possible to access the system and send fake alerts to devices within a one-kilometre radius. Although not enough to cause a country-wide emergency, this type of attack could cause disruption in crowded areas such as train stations or shopping malls, leading to potential panic and injury.

Five Tips To Improve AV System Security

It is often said that cybersecurity is a cat-and-mouse game: an ongoing struggle between attackers and defenders with an escalating chase and evasion dynamic. AV technology manufacturers are making improvements to their device security all the time, but the continual evolution of technology and user behaviours — as well as the tools and general sophistication of attackers — leads us to suggest you should not assume your devices and systems will ever be 100% secure.

In light of this reality, here are five steps you can take to protect yourself or your organization from unauthorized access via your AV technology:

1) Update device firmware

Keep your AV device firmware up to date. Firmware vulnerabilities can provide access paths for attackers, such as in the case of the Crestron touchpanels, and manufacturers regularly release updates to address these problems. For distributed systems, it’s best to contact your AV systems integrator to perform the update so they can ensure compatibility between devices is not affected.

2) Change default settings

Many managed devices arrive out of the box with security settings that are easily bypassed. These settings may include basic login credentials such as "admin" and "password" — or some may require no password at all. Ensure that these settings and credentials are configured appropriately upon installation.

3) Layer on protection

In 2023, a simple password is not enough. It's worth adding security solutions such as two-factor authentication and firewalls that cover all devices on your network. Additional layers mean extra work for attackers who may be scanning for low-hanging fruit.

4) Isolate devices and systems

Wherever possible, isolate AV devices and systems from other parts of your network. Using techniques such as virtualization, it's possible to effectively render specific systems invisible to one another, meaning attackers can't make the jump from AV tools to critical data storage.

5) Educate users

Most cyberattacks are successful not because of technical vulnerabilities, but human error. So, it’s worth raising your users’ cybersecurity awareness and educating them on the common signs of risk and compromise.

For AV devices, this might include video conferencing tools that open without warning, camera and microphone indicators that stay illuminated, or curious new processes running on their computers. Smart TVs may turn on unexpectedly, while home security systems may report alerts even when no threats are evident.

While AV device security has advanced significantly in 7 years, the constant evolution of technology, user behaviours, and attacker sophistication will prevent these systems from ever being 100% secure. 

So what can you do about it? Make AV attacks harder for hackers. By following a few general steps such as performing regular updates and changing default settings — or by enlisting an AV or IT specialist to follow them for you — it's possible to significantly reduce the risk of unauthorized access. Even if your systems are never 100% secure, you will be in a much better place when the challenges outweigh the benefits for attackers considering you or your organization as a target.

Or, if you’d like to procure a professionally-specified system that requires security control verification before delivery, contact us today.