Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788.
The analog-to-digital transition has obviously been a hot topic in the security industry for several years. Here is a situation where not moving from analog to digital can have serious security impacts:
Q: During a recent training meeting I noticed that the meeting room’s wireless microphone system had frequencies listed on the equipment. Doesn’t this mean that someone could buy a matching receiver and listen in on our meetings?
A: If the system is typical analog technology, the answer is yes.
Analog wireless microphones, headsets and keyboards are all subject to eavesdropping that can be accomplished with less than $100 of equipment. Search the web and you will find countless examples. Wireless vulnerabilities are easy to exploit because it can usually be done from outside the building.
If there has been no recent security assessment of meeting rooms and executive offices, and no survey of employee desktop equipment, performing one as soon as possible would be a wise move. This might be combined physical security/IT collaboration, as for any sizeable organization the most likely available resource for desktop inspection is the team of patrolling security officers. An alternative would be to have business unit managers perform checks in their own areas.
Wireless Keyboards: Keylogging programs target analog wireless keyboards and broadcast every keystroke typed, which of course includes passwords, security phrases, account numbers and other sensitive data. This kind of snooping is rarely detected because it does not require any equipment to be plugged into the computer.
Wireless Headsets: An extremely vulnerable situation is an analog wireless headset that is “on” all the time. Sitting on the desk or hanging on the display monitor, it acts as a broadcasting microphone, transmitting conversations outside the office and building walls. So much data is vulnerable within office and meeting room transmissions — including meeting participants, travel schedules, and other information that can enable physical access breaches via social engineering.
Wireless Microphones: A good wireless microphone system requires pairing of each microphone to the base station using a unique electronic serial number. Simultaneous physical access to both devices should be needed to pair the two. Some systems provide optional software for use in configuring advanced features, requiring you to put the base station on the network. For security reasons, be sure to take the base station back off the network when configuration is complete. For both security and future-proofing reasons, a wireless microphone system should also support upgradable hardware and firmware.
Ideally, a wireless microphone system would allow adjustment of the microphone’s transmission distance to confine it within a room or only a few feet beyond. Transmissions can also be encrypted — this capability also helps to eliminate interference between devices when multiple systems are used in the same building.
Once the security features are in place, be sure to check the audio quality of the microphone system. Periodically, the microphones must be physically inspected to make sure that the devices have the same serial numbers as those originally installed. Clever eavesdroppers can drop an extra same-brand microphone into the room — or replace an existing one — to listen in. Typically, meeting room users trying the rogue microphone would think it is broken and simply switch to a different microphone. If the microphone trouble is actually reported, that’s usually after the meeting — and any eavesdropping session — are concluded.
Starting around 2008, wireless keyboard and headset manufacturers began switching over to secure digital technology. When upgrading from analog wireless systems to digital, look for technology that supports AES 256-bit encryption, which is the standard for many government agencies and is appropriate for executive meeting rooms. Still, a number of organizations specifically forbid the use of wireless keyboards, analog headsets and microphones. Many IT departments have specific wireless products on their acceptable products list (APL) and prohibit the use of others. Which situation is your company in?
Write to Ray at ConvergenceQA@go-rbcs.com. Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is also a member of the Content Expert Faculty of the Security Executive Council.