Edition #2 – IoT and Zero Trust
April 22, 2022
IOT

What is IoT?

Internet of Things, or as you know it IoT, has moved from buzzword to a useful categorization of devices that aren’t quite computers, aren’t quite servers, aren’t phones – they’re just computing “things” that serve some purpose.  They might be vibration sensors, thermostats, or hearing aids.  They also don’t necessarily have to be connected to the internet to do their thing; they might just be on an internal network instead.  

Outside of video conferencing codecs, we at AV MSP tend to classify most AV devices as IoT.  The reason?  Most devices have some sort of network connectivity but have no way to truly monitor processes or alter configurations like we can on PCs and network hardware.   We may have monitoring tools or ways to get information from the device, but we can’t get the depth of information compute devices give us.  The other reason we classify AV as IoT?  Like most IoT devices, security is a serious issue and these kinds of devices need to be treated with much more caution than your typical networked devices.  

What is Zero Trust?

Zero trust is yet another buzzword, but it carries some weight as a security ideal.   Basically, you no longer give any device or manufacturer the benefit of the doubt – you assume there is a risk, and you validate every step of the way.  Zero trust also eliminates the idea that once something is let onto your network, it’s somehow assumed to be safe and no longer a threat, even if it can’t reach the internet.  

Zero trust is the best policy for dealing with AV hardware.  As an industry, we have not exactly been the most up to date on security standards, don’t respond quickly to threats, and may not even know about security issues until it’s far too late. In 2019, security researchers found a set of major vulnerabilities in a well-known set of wireless screen sharing devices.  The responses by manufacturers were less than ideal, and in many cases the vulnerabilities were never patched.  The researcher’s assessment of the situation is worth reading.  

What does this mean for you, an owner of many AV devices?

You just need to know that a) you own a lot of IoT devices and b) you cannot trust them.  That’s not to say all manufacturers are negligent – many are responsible and thoughtful in their security responses – but rather to say that you shouldn’t take anybody at their word that something is safe or secure.  This is why there are third party security assessments, VLANs, and when all else fails, an airgap between those devices and anything they can damage.  None of us want to have a rogue amplifier with malware be the reason a company lost billions.  Some data and control is just not worth it. 

Return