In the latest episode of A State Of Control, Mark Day highlights some things IoT devices do really well. Rich Fregrosa counters by pointing out that you give up some control with IoT solutions. There have even been cases where thousands of devices were negatively affected by manufacturer updates pushed over the air.
After the episode was released, it was reported that the Mirai malware can now target AV devices from LG and WePresent. To protect devices in the field, a security patch is required; A firmware update that fixes the vulnerability.
Getting all those devices updated will require many “Firmware Fridays”. Also known as talented AV professionals running around with laptops and watching progress bars. Such is the drudgery of AV today.
The devices in question may not normally be considered a part of the IoT. But if it is connected to a network with internet access, guess what? It is a thing on the internet.
What’s missing are secure communication protocols, authentication and a fleet management platform. Maybe someday there will be standards for this sort of thing. But for now, here are a few approaches…
The AV Way
Many AV devices can be controlled over the network. But most were designed to operate on an isolated “AV network”. They require no login and transmit messages without encryption. In other words, they were not designed with the internet in mind.
Isolated AV networks provide 100% security from internet-based attacks. The trade-off is every feature that needs internet access. Do you really trust that automatic 3:00 am Sunday update?
The IoT Way
IoT devices automatically connect to the manufacturer’s cloud application allowing the manufacturer to push updates at will. That could be good if they always do the right thing. But sometimes mistakes are made.
Unless the manufacturer offers an SLA guaranteeing uptime, integrators give up some control in how these devices are managed.
A Hybrid Approach
Some AV manufacturers are starting to offer platforms that let technology owners and service providers manage device updates online. This is a step in the right direction. But last I checked, it is impossible to design an AV system with all of the components from a single manufacturer.
We still need a way to manage those other devices. And some of those other devices need to be segmented away from the internet because they still use unauthenticated and unencrypted protocols.
One approach is to set up the network so only one device has internet access. Let’s call that device a Remote Management Gateway.
The remote management gateway can provide access to the protected network through an online dashboard or virtual private network (VPN). Managed service providers can then apply security updates and provide support without being on-site.
There is a lot to consider in this scenario. A secure online dashboard should have two factor authentication enabled. Strong passwords and a password manager should also be used.
As an extra security measure, the VPN can be turned off when not in use. Effectively creating a network that can go online and offline as needed. There would need to be some interface that allows someone on the local network to enable the VPN when needed.
What Do You Think?
Maintain the status quo and hope for the best? Demand manufacturers manage their own devices? Push for industry standards? Will integrators step up and become managed service providers?
Let’s hear what you think in the comments…