Protecting Your Audio from Cybersecurity Vulnerabilities
Safeguarding confidential data on your IP network is a top priority. As AV conferencing equipment becomes increasingly network capable, IT Heads need to be assured that these devices are not open to security breaches.
Shure Network Audio Encryption
Shure has considered the unique security needs of our customers and developed technology to safeguard content without compromising audio quality. Shure Network Audio Encryption uses AES-256 crypto technology to protect confidential content. The AES-256 encryption algorithm has been adopted as one of the safest forms of network protection by leading financial institutions, Government bodies and Health Care Services. While the AES-256 encryption standard has been widely adopted and used worldwide, we take security seriously and understand that you may not be able to achieve 100 per cent secure Dante audio. However, Shure Network Audio Encryption is the most secure form of transmission available.
The AES-256 encryption algorithm utilizes a user-configured passphrase on each device, similar to applying a passphrase to the Wi-Fi connections on home router products. Shure devices with mismatching passphrases will result in no audio (silence) at the listening end. Non-Shure devices will not connect to an encrypted Shure device.
Many Shure conferencing systems and live audio solutions feature Dante Networked Audio. Our customers have recognized the advantages and efficiencies of routing audio over their gigabit network infrastructure. Shure offers Dante audio for a variety of applications including sound reinforcement, recording and conferencing. They are found in boardrooms, meeting rooms, courtrooms, interview rooms, worship spaces, and theatrical venues.
With Shure Network Audio Encryption enabled, Dante audio is encrypted prior to being sent over the network to another Dante device which supports Shure Network Audio Encryption, where it is decrypted and forwarded for IntelliMix® DSP processing or analog conversion.
Shure Network Audio Encryption will be available with Microflex® Advance™ Ceiling and Table Array microphones, the IntelliMix P300 Audio Conferencing Processor, and selected Audio Network Interfaces in early 2018. Microflex® Wireless will be supported later in 2018. The feature can be added to these products already installed in the field through a firmware upgrade.
Network Audio Encryption Q&A
The popularity of Dante has given rise to questions about cybersecurity vulnerabilities that apply to transmitting audio over an IP network.
Q: Is it possible for someone to "wire-tap" Dante audio over the network?
A: Yes. The unencrypted IP packets containing Dante audio flows can be captured using freely available packet capture tools, then manipulated and played back with a Dante enabled audio device. Shure Network Audio Encryption prevents a rogue Dante audio device from playing encrypted audio flows.
Q: My Dante gear is never connected to the core network – it is isolated to the room (an "air gap" security solution). So I don't need to worry about Dante audio being tapped, right?
A: Maybe. While an air gap solution greatly reduces access to the Dante audio, it still may be possible to connect to the room network on an open Ethernet jack, allowing someone to introduce a "rogue" (unauthorized) Dante endpoint. Using the freely available Dante Controller application, the network audio streams can be routed to the rogue device, captured and recorded. With Shure Network Audio Encryption, even a rogue device located in the meeting room would be unable to receive the network audio streams.
Q: It seems relatively easy for unintended audiences to access the Dante audio. This could compromise sensitive discussions in boardrooms. Is there anything that can be done with the network infrastructure to protect and secure our audio?
A: Yes. Several enterprise IT organizations restrict connectivity to their corporate network by MAC address – this would stop rogue Dante recording devices from joining the network. Alternatively, most enterprise-grade network switches can be configured with VLANs – a technique used to isolate a set of ports on the switch to create a new 'virtual' LAN. With Dante devices isolated on a VLAN, the Dante Controller application cannot discover the devices, and 'rogue' endpoints cannot access the Dante audio flows. Shure Network Audio Encryption can be enabled in addition to these things to build a multi-layered security solution.
Q: With MAC port restrictions, VLANs, and other IT network protections against 'rogue' devices, is it still possible for the Dante audio to reach unintended listeners?
A: Yes. For example, employees with administration privileges can still use authorized devices to install Dante Controller and packet capture tools to gain access to Dante audio, and possibly compromise sensitive information. With Shure Network Audio Encryption, even if someone with admin privileges gains access to the Dante audio, they will be restricted from listening without the passphrase. For that reason, it is important to restrict passphrase access to carefully selected individuals.
Please contact the Shure Product Support Group (1-800-516-2525) with any questions or for additional assistance, or check out our FAQ database.
* MXWANIs will not support Shure Network Audio Encryption. The upgrade for these systems will require new MXW firmware and a hardware upgrade to replace the MXWANI with ANI4OUT or P300 products.
Interested in more industry news? Follow us on Twitter at https://twitter.com/shuresystems and subscribe to the Shure Systems YouTube channel.