Security in a Wiretapped World
It sounds like a far-fetched plot from a Tom Clancy novel: A hacker reconstructs confidential data by eavesdropping on the electrical signals emanating from a video display. Meanwhile, his partner taps into even more top-secret information via the building’s electrical infrastructure.
It sounds like a far-fetched plot from a Tom Clancy novel: A hacker reconstructs confidential data by eavesdropping on the electrical signals emanating from a video display. Meanwhile, his partner taps into even more top-secret information via the building’s electrical infrastructure.
But it’s not. These are real-life threats, and understanding them is important for integrators selling into a wide variety of markets — from government to financial services to the pharmaceutical industry. But that’s not all. Evaluating security risks and devising solutions is important for another reason: It’s a value-added service that integrators can use to differentiate themselves and justify a price premium. Security also can be used to make a case for professional products when a client argues that consumer products work just as well at a fraction of the cost.
“It’s an extra level of service provided by an educated and advanced AV integrator that can’t be matched by taking multiple vendors: AV installation, then IT security, then network deployment,” says Jim Smith, CTS, CVE, consulting systems engineer for AV channels at Pleasanton, Calif.–based Polycom. “The disparate entities may not understand the subtleties of the inclusive environment, whereas the knowledgeable AV integrator will understand all the intricacies inherent in that AV-IT environment.”
FALSE SENSE OF SECURITY
Although wired connections tend to be more secure than wireless ones, that security isn’t ironclad. For example, although shielding is supposed to prevent copper cables from acting as antennas, in many cases, signals can still leak out, effectively broadcasting the information flowing over the cable and thus making life easier for eavesdroppers and hackers.
“Copper wiring, whether it be shielded or unshielded — particularly the unshielded Cat-5 type —has a tremendous amount of radiation,” says John Lopinto, president and CEO of Hauppauge, N.Y.–based Communications Specialties. “Those things are giant antennas.”
The obvious solution is to use fiber-optic cable because the beams of light don’t leak out. That’s why many government guidelines — such as the National Security Agency’s (NSA) TEMPEST —require fiber for secure applications. For example, if there’s a switch in one room and a projector in another, the connection between the two rooms must be over fiber.
This brings up another caveat about wired connections: Even though fiber doesn’t radiate signals the way copper does, it doesn’t mean it’s impossible to eavesdrop on a fiber link. “It’s very easy physically [and] mechanically to tap into a fiber,” Lopinto says. “Once you’ve tapped in, converting the light back to electrical [signals] and garnering some useful information out of that is pretty straightforward.”
There are two main options for securing fiber links. The first is to limit access to them, such as not routing them through a drop ceiling in a bathroom, where a hacker could use an out-of-order sign to buy enough time to tap in. But limiting access becomes more difficult if the fiber runs through public areas not controlled by the enterprise, such as other parts of a building or under the street.
The second option is to constantly monitor the optical signals. If someone taps into the line, the tap itself can create reflections that get flagged by equipment — such as a fiber-optic power meter — used to pinpoint the location of a fiber break.
But even that might not be enough. If the tap is installed very close to where the cable ends, such as on the other side of the wall from a display, the reflections might appear to be coming from roughly where they’re supposed to. As a result, some security experts recommend running the fiber through conduit, which generally isn’t required by code because fiber doesn’t radiate electrical interference, nor is it susceptible to it. However, the conduit creates another physical barrier that the eavesdropper literally has to hack through (possibly making noise in the process), thus creating another mechanism that can be monitored and alarmed.
“We run a separate security cable that shows if the shell conduit has been compromised in any way,” says Gary Hall, CTS-D, CTS-I, a consultant specializing in AV security.
UNSAFE AT ANY SPEED?
Wireless has developed a reputation, particularly among enterprise IT managers and government agencies, as unsecure to the point that it should be avoided at all costs. Whether that’s true or not depends partly on the application and partly on whom you’re talking to.
“A lot of times, you’ll hear government folks say, ‘No wireless anywhere, ever,’” Hall says. “But there are actually a few things out there that have been approved by the NSA and are actively being used.”
Firewall traversal is a security issue that must be addressed to allow effective videoconferencing. Tandberg’s Expressway solution has a tunnel element for control of information and a relay element for forwarding media without the overhead of true tunneling. Video communications pass through Expressway, leaving other traffic to take its usual route.
Microphones, one of the oldest, most widely used wireless pro AV products, are arguably one of the most secure, having resolved earlier drawbacks, such as people in adjacent buildings picking up a board meeting instead of a radio station. Today, there’s a wide selection of encrypted digital mics.
“The chances of someone being able to snoop there are very, very low,” says Ira Weinstein, senior analyst and partner at Duxbury, Mass.–based Wainhouse Research, a research and consulting firm.
Another common technology is 802.11 Wi-Fi, which has its share of horror stories. Although designed for a range of only a few hundred feet, some hackers have eavesdropped on connections up to 125 miles away. This is obviously an extreme example, but it highlights the relative ease of eavesdropping on a confidential PowerPoint presentation, for example, from the hall outside of a conference room or parking lot.
Wi-Fi can be encrypted using standards like the latest version of Wi-Fi Protected Access, WPA2, also known as 802.11i. Although WPA2 is highly secure, some enterprises still resist using it, creating challenges for integrators that see Wi-Fi as a viable option for some applications.
“The biggest security issue we fight is using Wi-Fi,” says Darren Cheshier, CTS-D, an engineer at Conference Technologies, a St. Louis–based integrator. “Corporations and the government are not receptive to have a wireless access point hanging on their network. Yet a lot of manufacturers are heading down this road with their product lines. We have to work very closely with the IT departments to make sure their fears are addressed, and some will just not allow it no matter how much they want wireless technology.”
Another wireless risk not widely recognized is cell phones. Their built-in cameras — still and video — can be used to capture presentations, while the speakerphone can be used to eavesdrop on a meeting. Many handsets designed for the business market also support 2 GB or more of removable flash memory, enough to record several hours’ worth of presentation audio or more than an hour of presentation video.
One solution to combat the cell phone threat is to collect them at the door of confidential meetings, with the equivalent of coat-check receipts handed out. The drawback? Without pat-downs and bag searches, security depends on attendees’ cooperation.
Another option is to use remote handset management products. Available from wireless carriers and vendors, such as Motorola, these products include a software client that’s installed on the handsets. A company’s IT department then can remotely disable features such as speakerphones and cameras. (Some of these remote security products can be installed on laptops to address threats such as using Wi-Fi to hack into a laptop or to the corporate LAN to which it’s connected.) Although these products are becoming more widely used among medium and large enterprises, they’re still the exception rather than the rule. Leveraging them for AV security often isn’t an option.
Another drawback is that remote handset products work only with company-issued cell phones. To thwart remote eavesdropping via speakerphones on any cell phone, company-owned or not, an extreme option is to enshroud the venue in a Faraday cage, which blocks signals from leaving the room. Faraday cages are created with metal mesh, but new products — such as Southern Pines, N.C.–based EM-SEC Technologies’ Coating — can be painted onto walls to achieve the same effect. “We’ve been looking into some of those and testing them out,” Hall says.
It’s worth noting that some wired technologies can act wireless. Case in point: A cable can emit enough electrical energy that it acts as an antenna, transmitting the audio and video traveling through it. This well-known phenomenon is mitigated with extra shielding. What’s less well known is that the energy also can be picked up by nearby electrical lines, which then re-radiates the information even farther.
“Or you can tap into that electrical infrastructure knowing that somewhere down the line, the electrical wiring will get close to the AV wiring,” says Lopinto. “Then [the electrical wiring] becomes a big receiving antenna.”
CACHE AND CARRY
It is also important to be aware when using AV products that have large caches. One analogy is fax machines and copiers, which often have labels warning employees not to use them for sensitive information because their caches store images that could be accessed later by someone else.
“A lot of people don’t think about that aspect,” Hall says. “If you have a projector with the ability to cache frame grabs, those types of features can’t be used in secure settings at all. When we buy projectors that have those abilities, we’ve gone so far as to have that disabled.”
The AV integrator’s control over both a venue and its equipment is the biggest factor in its ability to provide a secure AV environment. The ideal situation is to be involved at the construction or remodeling stage, when it’s easier to address AV security. For example, the executive boardroom should be located in the center of the building, where the lack of windows makes it difficult for someone outside to pick up a Wi-Fi signal or wireless mic or to use a camera to capture a presentation as it is displayed.
Executives would likely balk at spending hours in a room without a view, so the next option is to move the boardroom away from public spaces. Another alternative, one that’s relatively low cost and a good fit for existing spaces, is to install blackout curtains to thwart binoculars and cameras.
OUT OF CONTROL
Control also is an issue if an AV application, such as a videoconference, runs over an enterprise’s local area network or a service provider’s wide area network. These situations highlight the value of understanding IT technology and lingo, as well as the benefits of a good working relationship with an enterprise’s IT department, whose assistance can help secure an AV application. One good example is firewalls, which IT departments are hesitant to open to anything but mission-critical applications. As a result, firewall traversal often is an issue for videoconferencing.
A session border controller enables videoconferencing through firewalls without sacrificing quality or network security.
“Videoconferencing manufacturers are selling more products to help with this like firewall traversal units,” says Cheshier. “This only opens pinholes in the firewall when calls are placed or received. These are expensive, and most companies can’t justify that cost.”
Those situations highlight the value that a knowledgeable integrator can bring. But to sell clients on security, that knowledge has to be passed on. “We have a host of white papers written by IT professionals ready to hand over to clients,” Cheshier says.”
Even so, security is ultimately in the eye of the beholder, making it an impossible sell in some cases.
“We always ask, ‘Are you concerned with security and/or privacy?’” Cheshier says. “If the client does not put a certain priority on the problem, they are not going to pay for it.”
Tim Kridel is a freelance writer and analyst covering telecom and technology based in Columbia, Mo. He can be reached at [email protected].
