With the increasing spread of digital signage, the requirements for the security of digital signage are also growing. After all, it is about the security of content that is played out in public or semi-public spaces. The horror scenario par excellence: manipulative or compromising content that is broadcast to the outside via the company or advertising screen network.

The good news: digital signage can be professionally secured to prevent the risk of criminal attacks. It is clear that all partners involved in the production, development and installation of digital signage systems contribute to security. In our role as market leader for digital signage players, we illustrate here how comprehensive protection works.

Content: Dangers and Signage Security Solutions

  1. Protection Against Device Theft
  2. Protection Against Malicious Code Import on the Device
  3. Protection Against Hacked Software and Malware
  4. Protection Against Attacks at Network Level
  5. Conclusion: Digital Signage Security as a Joint Effort

Protection Against Device Theft

A classic digital signage solution consists of a media player (mini PC or OPS plug-in PC) connected to one or more displays of a video wall. The player plays multimedia content onto the displays. The contents are stored on the hard disk of the media player. In some cases, however, they are also saved on a server and streamed directly to the player via the network connection.

Use Lockable OPS Media Players

In public or semi-public areas, the system components must be protected against theft. In accessible areas, it is advisable to screw the player into the display, as a separate media player is easier to steal than a large display. The standardised OPS format is a good choice here. Many displays can accommodate a OPS format PC in a lockable manner.

Protect Display and Player with an Enclosure

In railway stations and outdoor areas, the display and mini PC are stored in special enclosures. These digital signage enclosures are usually made of metal with an impact- and break-proof pane (so-called ESG safety glass). They do not require any screws, except for fixing them to the wall, ceiling or floor. The enclosures protect the sensitive electronics in several ways:

  • From moisture and impacts – useful, for example, when digital signage is used as a customer interaction interface, such as an order counter in fast-food restaurants.
  • From theft or hackers – no one can insert a USB stick with malicious code or content that could damage the player PC’s reputation if it is securely packed all around.
  • From vandalism – the hardware is effectively protected from damage at night.

Use Other Hiding Places

If no enclosure can or should be used, it is recommended to place the media player in cabinets or under suspended ceilings – no problem thanks to the fanless, very flat design of the special hardware.

Protection Against Malicious Code Import on the Device

Openly accessible connections such as USB, but also wireless connections such as Bluetooth and WLAN to the media player and display are one thing above all: a gateway for hackers.

Deactivate Interfaces via BIOS

Especially in the case of open housing, all unused interfaces and also buttons must therefore be deactivated via the BIOS of the hardware. The BIOS itself should be password protected.

Deactivate Autoplay

Functions such as autoplay on the USB port should be switched off on the software side. This way, no malicious code can be run.

Encrypt Hard Disk with TMD Module

Hard disk data can be encrypted with the help of a TPM module. Otherwise, criminals have the possibility to read out sensitive data such as passwords from stolen computers by removing the hard drive.

Protection Against Hacked Software and Malware

One of the main points of attack for criminally motivated attacks is software. In a digital signage installation, the media player, as the mostly poorly protected device, becomes the focus of attention. With Android and Windows, two proven operating systems are available for media players. Yet every new version bears the risk of bugs and gaps. These can occur even with the best documentation and cleanest code.

Check Operating System Updates and Use Them with a Delay

New operating system versions should be thoroughly tested by the hardware supplier before they are installed in the large number of mini-PCs that are usually part of a digital signage installation. As experience has shown, it might be better to wait for one or the other security update or even to skip a first software release, as old OS versions are more reliable and stable.

User Access Only for Selected Applications

At the application level, highly restricted user rights are recommended. Only absolutely necessary applications should be able to run and gain access to the system. These exceptions include the app that enables access to the server-based content management system for the signage content. This restriction brings important security advantages: less room for hackers to attack and fewer opportunities to make accidental misconfigurations.

Targeted Use of Antivirus Software and Firewalls

Anti-virus and anti-spyware should be installed on the media players. And they should of course update themselves so that cyber criminals get as few entry points as possible. Hackers who “sniff” for open ports via the Internet should be prevented from gaining virtual computer access by means of sharply configured firewalls.

Quickly Correct System Errors with Master Images

And what if the system does become faulty and there is a suspicion that hackers were at work? Digital signage network operators investigate such suspicions with the help of device management software. The systems show whether the software is running on the players and whether the content is being played. If the content does not land on the displays, an attack could be the cause.

In this case, the administrators remotely set up the player again by completely overwriting the existing installation with a functioning master image. Companies that have deposited the master image on the SSD in a hidden partition can restore their configuration and digital signage operation with comparatively little effort: The image is simply copied from the hidden partition or from the local edge server to the active partition of the SSD. Long downtimes are avoided.

Displays with Integrated Players are More Vulnerable

The security options mentioned so far assume that the media player in use is fully controllable. This applies to signage systems with separate players. In the case of displays with integrated players – also called “System on a Chip (SoC)” – this is not the same: if one of these SoC players is hacked, then at the very same moment every display worldwide using this SoC is a gateway for hackers. For this reason, we currently advise our customers to avoid using displays with SoC players for professional digital signage installations.

Protection Against Attacks at Network Level

Alongside players and displays, there is another essential element for digital signage security: the network in which the players are embedded. On site, the mini PCs are supplied with content and all other necessary data via a LAN connection. A WLAN connection would be another gateway, as it could easily be hacked by a laptop or smartphone in the neighbourhood – the physical plugging in of a LAN cable, on the other hand, is very conspicuous.

Separate the Signage Network from the Corporate Network

The network in which the digital signage players operate should be separated from the rest of the company network. In so doing, one would speak of a subnet. This subnet is connected to the corporate network via network hardware and receives the content from it. In this setup, the signage subnet does not have direct Internet access and is therefore invisible to intruders coming from the web. Other options for even more security differ depending on the company structure and size:

  • Solution for large companies: Management software controls access and rights at the network component level. The security factor can be further increased by allowing only certain MAC addresses to communicate with the server, for example.
  • Solution for branch offices: The branch offices are usually connected via mutually secured VPN tunnels or more modern alternatives – such as “Software Defined Network”.

Conclusion: Digital Signage Security as a Joint Effort

Apart from necessary server security mechanisms, which are not discussed here, the security of digital signage systems can be significantly increased through proven measures, from physically secured hardware and regulated software up to protected networks. All partners who design digital signage systems should be aware of these mechanisms and technologies and take them into account as early as the concept stage. And last but not least, attentive customers with an awareness of digital signage security can ensure that they are getting a strong business solution.