How Risky Is Updating Digital Signs With Apps, Anyway?Written by Frank Hayes
Is updating your digital signage with a mobile device really such a good idea? That’s the question raised by the announcement on October 2 that Swedish retail giant ICA will begin using mobile apps next month for making changes to its in-store signs.
The advantage seems pretty obvious: Using an app on a phone or tablet means a store manager or associate can see what changes look like as they’re made, avoiding embarrassing differences between what appears on a PC’s screen and the display. The equally obvious downside: You’re trusting your public face to the security of a smartphone.
It’s not clear how many of the chain’s 2,230 stores will immediately adopt the app, SpotApp from display vendor ZetaDisplay. But let’s suppose a wide swath of the stores begin using it. That makes a lot of targets for pranksters and vandals whose idea of a good time is putting their own message up for your customers to see.
The problem is the undercooked state of mobile security, suggests StorefrontBacktalk columnist Walter Conway. “The inherent insecurity of mobile platforms (Android) and lack of transparency (iOS) make me question whether mobile access to the signage is really any safer than a well-protected Web application,” Conway said. “Many of the risks are the same: lose the device, and you’re toast; weak passwords; weak authentication (try MAC address filtering on a smartphone); not managing privileges; poorly configured IDS/IPS; etc.”
He added, “It all comes down to security. Whether they use an iPhone, Android, laptop or physical keyboard controlled with a padlock and protected by a mean dog, there is no 100 percent security. I would still feel better with a networked device my security and IT staff could lock down, and access the pros can monitor and control.”
Fair enough, but we’re not talking about payment-card data or corporate secrets here. And the mobile option is still seductive, and very convenient. So is the ability to access displays via Wi-Fi—which, in many cases, may already have blown away the ability to secure displays against a dedicated attacker at many chains.
But if this app is successful, it’s likely that other digital sign vendors will offer apps for their own products. How big a problem is that likely to be for security? It depends on how loudly store managers scream for convenience, and how hard vendors (and central IT) have already worked to lock down the devices.
Suppose that digital display is accessed via Wi-Fi and just protected by an IP address and a password. Is it the vendor’s default IP address and password? Then there’s no security at all, because anyone with access to Google can track down the information to hijack it. If it’s not the vendor’s default but is a standard password for the chain, that’s only slightly safer—those secrets have a way of leaking out, too.
A unique password and IP address that are kept secret from store employees? That’s getting closer.