New post
0

Physical security

Avatar
Ciumafaie
None
Follow

Hi,

I would like to understand clearly from security perspective how Brightsign players can be locked:

- after setup and going in production, can we make sure that the SD card cannot be used to change/reprogram the players, the system settings (enable telnet, ssh), for brs scripts ?

- can we disable the serial port in a such way so that it can be enabled only remotely?

- how we can make sure once the players are programmed and in production their content, especially their settings cannot be changed by an unauthorized person that either has physical access or access to the local network ?

-if we are connecting Brightsign players to a cloud based CMS, there is any way to use the CMS or any other cloud based management tool to discovery, inspect and collect remotely information about local network environment (ping results , telnet, tracert, ssh, arp, port scanners, etc)?

-how the applications that can be stored/loaded on the player are controlled, certified ? For example how can we make sure nobody can load on a player an uncertified application?

Cezar

Date Votes

1 comment

  • 0
    Avatar
    Lyndon

     

    Since users have no access to the linux shell, the only way something can be done is via script. 

    You can physically lock the sd slot so that no one can physically remove it. 

    If you're using a player with an internal ssd drive, you can disable the external media ports in the registry so that no sd or usb would be recognized.

    If you disable the dws server or set a password for it, then there's no way for someone to log into the player. Having it disabled would be the safest. If dws is disable, there are no ports available for someone to log into. 

     

    I don't know what you mean by an uncertified application. If someone has physical access to the player, then you're kind of limited in what you can prevent if the physically there. But, as I said earlier, if you use a unit that can take an internal ssd drive, someone would then have to physically remove the unit from its enclosure or wall, open the unit to remote the ssd cdrive to put other content on it. They'd have to literally take it apart, take out the main board. And, if someone has that kind of time, and access, then there's not much you can do.

     

    At that point the only way someone could get access to the unit would be if you were specifcally running some program like a node app that explicitly allowed someone to log into the player. 

     

    Our cloud cms uses https for communication. The player does respond to ping requests. It doesn't have telnet or ssh enabled out of the box. There's no ftp, and if you disable the dws, there's no where for someone to log into. 

     

Please sign in to leave a comment.