Business challenge
With thousands of network-connected advertising displays located around the world, the company has thousands of potential vulnerabilities that criminals could exploit.
Transformation
Quarterly penetration testing from X-Force Red helps the company identify and remediate vulnerabilities that could allow criminal attackers to replace advertising content with their own messages or video.
Results
Improves
the security posture of the company’s networks and digital signage solutionHelps prevent
highly visible attacks that could damage the company’s reputationHelps avoid
regulatory fines that could result from a breach of personal dataBusiness challenge story
Protecting a network of interactive advertising displays
When you have thousands of streaming LED advertising displays located around the world, you have thousands of potential vulnerabilities and network entry points that criminal attackers can exploit. Moreover, local in-country technical teams may make infrastructure changes that increase the risk of criminal attackers taking over a display and replacing the advertising content with whatever message or video content they want.
With its reputation potentially on the line, this worldwide advertising company turned to X-Force Red for penetration testing services. The company wanted the X-Force Red team of veteran hackers to identify security weaknesses in the displays themselves or in the custom network that streams advertising content to the displays, which range in size from 60 inches to 50 meters. The displays are located in malls, airports, on buildings and virtually anywhere a customer can think to mount them.
“ We were able to take control of the advertising screens, which would allow us to change the content to anything we wished. ”
— X-Force Red consultant, IBM
Transformation story
Uncovering hidden vulnerabilities
When the company first engaged X-Force Red for penetration testing, it was very surprised at what the team found. The team's seasoned hackers took full control of the streaming devices tested and reverse engineered them to understand how they worked. X-Force Red then took control of the advertising screens, which would allow them to easily change the screens’ content.
An even bigger surprise for the company was the discovery of security issues on the content streaming network that could have led to a compromise of its internal network. These issues included user credentials and account details flowing over the content streaming network in clear text as well as other network security holes.
As part of the penetration testing service, X-Force Red delivered a report that included a detailed description of each vulnerability identified, enabling the company to quickly remediate the problem. The report also included recommendations for longer-term remediation such as deploying a patch management system.
Since that initial testing experience, the company has retained X-Force Red to conduct quarterly testing at locations selected by the Chief Information Security Officer (CISO). X-Force Redhackers are typically onsite for four to five days, wherever that site may be—the rooftop of a building, in an airport that requires a security clearance for access to the runway where the signage is located, or on the street where there is no power for laptops.
Most recently, X-Force Red tested a new signage installation in an airport in China. Other times the CISO has selected locations where countries have made modifications outside of the corporate IT-approved way of doing things, and where X-Force Red discovered security vulnerabilities.
“ An even bigger surprise for the company was the discovery of security issues on the content streaming network that could have led to a compromise of its internal network. ”
— X-Force Red consultant, IBM
Results story
Improving security posture globally
As a result of the security vulnerabilities identified by X-Force Red, the advertising company has been able to significantly improve the security posture of its internal network and global digital signage solution. Keeping on top of the ever-changing vulnerability landscape helps the company avoid the kind of highly visible attacks — compromising content appearing on the interactive signage displays — that can damage its reputation as well as the reputation of its customers. Improved internal network security also helps protect against data breaches, helping to avoid fines from regulatory organizations.
International advertising company
This advertising company is a world leader in digital display advertising, streaming content to LED displays that range in size from 60 inches to 50 meters. Displays are typically located in malls and airports and on exterior locations such as buildings and streets.
Take the next step
To learn more about X-Force Red penetration testing services, visit: https://www.ibm.com/security/services/penetration-testing
Follow the "X-Force Red in action”podcast series to hear how X-Force Red is protecting clients.
For more information on IBM Security solutions and services, visit: ibm.com/security. Follow us on Twitter at @IBMSecurity or visit our blog at securityintelligence.com.