Best Practices for Audio Security

Ronald Rousseau | April 2, 2020

Safeguarding confidential data on your IP network is a top priority. This requires a multi-pronged approach including protecting your network and data as well as equipment that is not easy for hackers to access the network via devices. As AV conferencing equipment becomes increasingly network capable, IT managers need to be assured that these devices are not open to security breaches.

Shure Audio Encryption

Shure has considered the unique security needs of our customers and developed technology to help safeguard content without compromising audio quality. Shure Audio Encryption protects confidential meeting content. The AES-256 encryption algorithm has been adopted as one of the safest forms of network protection by leading financial institutions, government bodies and health care services.

The AES-256 encryption algorithm utilizes a user-configured passphrase on each device, similar to applying a passphrase to the Wi-Fi connections on home router products. Shure devices with mismatching passphrases will result in no audio (silence) at the listening end. Non-Shure devices will not connect to an encrypted Shure device.

Many Shure conferencing systems and live audio solutions feature Dante-enabled technology. Our customers have recognized the advantages and efficiencies of routing audio over their gigabit existing network infrastructure. Shure offers Dante audio for a variety of applications including sound reinforcement, recording and conferencing. They are found in boardrooms, meeting rooms, courtrooms, interview rooms, worship spaces, and theatrical venues.

With Shure Audio Encryption enabled, Dante audio is encrypted prior to being sent over the network to another Dante device which supports Shure Audio Encryption, where it is decrypted and forwarded for IntelliMix® DSP processing or analog conversion.

Availability

Shure Audio Encryption is available with Microflex® Advance™ Array microphones, the IntelliMix® P300 Audio Conferencing Processor, and selected Audio Network Interfaces. The feature can be added to these products already installed in the field through a firmware upgrade.

Audio Encryption Q&A

The popularity of Dante has given rise to questions about cybersecurity vulnerabilities that apply to transmitting audio over an IP network.

Q: Is it possible for someone to "wire-tap" Dante audio over the network?

A:  Yes. The unencrypted IP packets containing Dante audio flows can be captured using freely available packet capture tools, then manipulated and played back with a Dante enabled audio device. Shure Network Audio Encryption inhibits a rogue Dante audio device from playing encrypted audio flows.

Q: My Dante gear is never connected to the core network – it is isolated to the room (an "air gap" security solution). Therefore I don't need to worry about Dante audio being tapped, right?

A: Maybe. While an air gap solution greatly reduces access to the Dante audio, it still may be possible to connect to the room network on an open Ethernet jack, allowing someone to introduce a "rogue" (unauthorized) Dante endpoint. Using the freely available Dante Controller application, the network audio streams can be routed to the rogue device, captured and recorded. With Shure Audio Encryption, even a rogue Dante device located in the meeting room would be unable to listen in on the conversation.

Q: It seems relatively easy for unintended audiences to access the Dante audio. This could compromise sensitive discussions in boardrooms. Is there anything that can be done with the network infrastructure to protect and secure our audio?

A: Yes. Several enterprise IT organizations restrict connectivity to their corporate network by MAC address – this would stop rogue Dante recording devices from joining the network. Alternatively, most enterprise-grade network switches can be configured with VLANs – a technique used to isolate a set of ports on the switch to create a new 'virtual' LAN. With Dante devices isolated on a VLAN, the Dante Controller application cannot discover the devices, and 'rogue' endpoints cannot access the Dante audio flows. Shure Audio Encryption can be enabled in addition to these things to build a multi-layered security solution.

Q:  With MAC port restrictions, VLANs, and other IT network protections against 'rogue' devices, is it still possible for the Dante audio to reach unintended listeners?

A:  Yes. For example, employees with administration privileges can still use authorized devices to install Dante Controller and packet capture tools to gain access to Dante audio, and possibly compromise sensitive information. With Shure Audio Encryption, even if someone with admin privileges gains access to the Dante audio, they will be restricted from listening without the passphrase. For that reason, it is important to restrict passphrase access to carefully selected individuals.

Shure takes security very seriously. Contact our Product Security Team with any questions or concerns you may have.

* MXWANIs will not support Shure Network Audio Encryption. The upgrade for these systems will require new MXW firmware and a hardware upgrade to replace the MXWANI with ANI4OUT or P300 products.

Interested in more industry news? Follow us on Twitter at https://twitter.com/shuresystems and subscribe to the Shure Systems YouTube channel.

Ronald Rousseau

Ronald is a software platform manager within the Global Product and Marketing group at Shure. With 20+ years’ experience of product development, system verification and system engineering both in the professional audio space and data communications market, he applies a strong engineering background to help define the roadmap for Shure's software and software security platforms. Ronald also spends time enjoying the outdoors, managing building restorations, and directing a non-for profit medical mission group, as well as fine gastronomy and photography.