In hybrid work environments, AV solutions are more than just tools for enhancing meetings; they are vital for seamless communication. Seamless being the key word here.
We have become so accustomed to the AV technology we use daily that it blends into the background – and that often means it is overlooked when formulating cybersecurity plans. But not including AV in security plans is a critical oversight, especially given the sensitive information it handles.
After all, businesses all over the world spend a lot of money ensuring that their external network devices are secure from threats. But what happens if the internal AV devices are compromised?
The unseen risk
As AV technology connects and facilitates a host of conversations, it will inevitably process sensitive content through microphone audio and video. This can even extend to the screen-sharing capability, which can be used to share sensitive information with people on a call. It’s a process that we assume is safe – but there is an unseen risk.
In corporate environments, streaming data through audio and video over IP poses a significant security risk, particularly with sensitive information at stake. Unfortunately, on company grounds, most audio streams lack encryption, exposing them to risks such as eavesdropping or unauthorised sharing.
This vulnerability affects all connected devices, creating a loophole where encrypted protection is triggered only when the device is outside of the office.
For example, in a law firm, a conversation with a client might seem secure with the microphone muted, but if a threat actor were to intercept these unencrypted streams or disrupt the mute function, confidential discussions could be compromised.
Many AV devices also bridge multiple networks, meaning there are various points of entry to potentially pivot through a corporate network, making them an attractive target to malicious actors.
Audio streams are a key example of this because they are often made easily discoverable on the network. While convenient, this feature also makes it easier for hackers to find and exploit these streams.
Even if the hacker cannot use the audio straight away, the information can be downloaded and unencrypted for later use. Leaving this data unprotected leaves a critical gap in security.
Into the network
Another area in which critical security weakness can occur is communication rooms. Serving as the central nervous system for AV calls – the control room, if you will – communication rooms are inherently vulnerable, as they house a myriad of hardware and switching hubs that connect numerous devices (such as sound bars and cameras) to the network across multiple meeting rooms.
As such, these rooms become a prime target for hackers because of the sheer amount of information filtered through them and the added vulnerability of there being multiple endpoints.
If an attacker successfully hacks the technology in a communication room, they can fully immerse themselves within an organisation – listening in to confidential conversations or pivoting through the network.
This is where a bad actor gains a foothold, and from there performs reconnaissance, subsequently moving through the infrastructure device by device until permanent access is established.
Once they have obtained access, their true goal can be realised, whether this is simply gathering and transmitting confidential information for future access attempts, or distributing a malicious payload.
The big concern is that this can happen through any device connected to the network, rather than just traditional ones such as laptops and mobiles. Today’s technology israrely just one 'thing', as high-quality microphones and video cameras have built-in operating systems that essentially make them small computers with capabilities beyond their use.
That is why it is so important for all of this technology to undergo rigorous security reviews to guard against unauthorised access.
Fighting back
To combat these risks, it is critical that companies look for AV solutions with built-in security features such as advanced encryption techniques and authentication options.
These safeguards are pivotal when it comes to ensuring data remains inaccessible to unauthorised users, as any devices connecting to the corporate network will need to prove they are legitimate before entering the secure environment.
Investing in these security steps is about more than just safeguarding sensitive information; it also builds trust among employees and clients.
This is because it reduces the likelihood of network disruptions and data breaches, ensuring business operations run smoothly, as well as preventing potential financial losses, including penalties for non-compliance with regulations such as the General Data Protection Regulation (GDPR).
Another step that may seem obvious is for companies to employ comprehensive password management policies.
This means configuring AV devices with complex, non-standard passwords, as well as ensuring employees adopt the same practice for their devices. This can even be taken further with a centralised password management system where only authorised personnel can access critical devices and information.
Regularly testing AV software to pre-emptively identify and address potential weaknesses is something organisations can do to ward off attack and adhere to industry-standard vulnerability benchmarks.
Ultimately, as we are now reliant on AV solutions for seamless communication, the importance of integrating robust security measures into these systems cannot be overstated.
Protecting sensitive audio and video data, ensuring the security of communication rooms, and preventing unauthorised network access are crucial steps in safeguarding an organisation's informational assets and maintaining its operational integrity.
George Pierson is an integrated network services consultant at Kinly