Cybersecurity Considerations for Crestron VC-4

Crestron® Virtual Control (VC-4) is a Linux-based control platform for enterprise applications that can be used in place of traditional hardware‑based Crestron control systems.   The VC-4 platform controls multiple rooms over the network from a single, centralized location. Cloud‑based monitoring is also available through XiO Cloud, Crestron’s IoT (Internet of Things) monitoring system.

Readers should note that the Crestron VC-4 is not, as shipped, a secured platform. But rather, has the ability to be secured. Without going too deep into the differences between Alma Linux versus Rocky Linux, let’s just say, it’s not easy, and you will want an experienced Linux administrator to secure the device.

A properly hardened VC-4 server follows the popular C.I.A. triad of information security. C.I.A. stands for the Confidentiality, Integrity, and Availability of data. The C.I.A. triad of information security is an information security benchmark model used to evaluate the information security of an organization.

Here’s how the Crestron VC-4 falls in line with the C.I.A. data security triad:

Confidentiality

The “C” in C.I.A. stands for “confidentiality”, and a key component of protecting information confidentiality is encryption. Encryption ensures that only authorized people (people who have the key) can read the information. Encryption of data can be at rest (in a computer folder or on a storage media), in transit (attached to an email, or using SFTP, or other transfer protocols,), or while open.

The Crestron Virtual Control server provides built-in support for Secure Sockets Layer (SSL) encryption. SSL ensures that the web browser and the Crestron Virtual Control connection is encrypted and secure.

Other ways to ensure information confidentiality include enforcing file permissions and access control lists to restrict access to sensitive information. To enable authentication for secure CIP connections, create authentication groups on the Linux platform, and add users to the groups based on the desired access level for each user, then go to Settings > Authentication Management in the web user interface.

Does this all sound like Greek? Well, be warned: the Apache server comes completely unsecured, and requires a lot of working knowledge to setup. Administrator level of Linux and Apache is recommended.

Integrity

The “I” in the C.I.A triad stands for integrity. Integrity of information refers to protecting information from being modified by unauthorized parties. Much like data confidentiality, the SSL (Secure Sockets Layer) helps to ensure the control data integrity.

Since VC-4 operates using normal IP based networking, the integrity of the data is better ensured because of the IP traffic monitoring by Level 3 Audiovisual, and/or local IT staff.  Conversely, traditional hardware controllers used proprietary buss and serial control, and/or contact closures, all of which can be hacked, while the IT/AV support staff basically has “no clue,” because it's not IP traffic, so they don’t see it. By using the virtual controller, the IT/AV support staff will have much better optics into the usage.

However, if you are not ACTUALLY monitoring the traffic, then the Integrity of the data is NOT ensured.

Availability

The last major benefit of using a software-based VC-4 in place of a traditional hardware-based controller (brain) is availability, which is the “A” in the Cybersecurity C.I.A. triad. Current supply-chain constraints mean that the hardware-based control systems may be unavailable for another year or so.

Even if you can get your hands on a hardware-based controller, it can still malfunction come install time. By using a virtual controller running on a server, it's easy to start up another instance of the VC-4 build. 

Availability of information refers to ensuring that authorized parties are able to access the information when needed. Information only has value if the right people can access it at the right times. The same holds true for IP-based control systems. The data in this case could be control data or status indicators.   

We are not suggesting that the VC-4 will always be fail-safe, or highly available, in any configuration.  VC-4 is virtual, but (for now) still runs on a standalone Linux instance, which could fail, as could the application itself, without fail over.  But with the proper health checks and process monitoring, you can minimize the downtime. Downtime is the inverse of availability. VC-4 server down? Spin up a new one.

It is important to note that the VC-4 also has its own share of supply chain vulnerabilities, namely, it depends on other software to run correctly.  It depends directly on Python, Redis, MariaDB, Firewalld, Apache web server, and other packages. Changes to any of those packages could affect the dependency.

Buyer Beware

While VC-4 is an innovative and powerful solution, it is extremely complex and requires some serious Linux administration and security skills in order to be secure... skills that honestly, MOST integrators probably don't have. AV integrators are great at getting things working.  They rarely ask themselves:

“What are all the vulnerabilities and/or ways I can break this system if I was (or was not) malicious?”

This question doesn’t cross AV integrators minds, or most people’s minds, for that matter; but it should.

The reader should consider this scenario: what if an internal attacker was able to install malicious software onto a given Crestron VC-4 hardware server, they'd have permissive access to an unsecured Linux server...a lot of damage can be done from such a device, using only a little bit of imagination.

Don’t fake it until you break it. Get in touch with an experienced VC-4 partner like Level 3 Audiovisual.