Versions Compared

Old Version 22

changes.mady.by.user BrightSign TechDocs

Saved on

compared with

New Version Current

changes.mady.by.user BrightSign TechDocs

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Expand
titleTable of Contents
Table of Contents
minLevel1
maxLevel3
outlinefalse
indent20px
typelist
printablefalse

...

The network settings of a BrightSign player are highly flexible and configurable. As a result, the integrity of a player is the direct result of the publishing and network configuration specified during the player setup process. Some configurations are best for networks where security is of little importance, while other configurations give the player a significant amount of resilience to outside attacks.

Tip

Tip

It's recommended that BrightSign players should not be connected directly to the Internet, but should always be behind a firewall that doesn't permit direct connections from the Internet to the player. 

...

A. The Diagnostic Web Server: The Diagnostic Web Server (DWS) responds to requests sent to the IP address of the player, allowing a user who meets the username and password requirements to retrieve information about the player and send system commands to it (reboot, enter recovery mode, test video resolution, etc.).

...

Note

The Diagnostic Web Server (DWS) is enabled on new players by default: The username is "admin" and the password is the player serial number. To change the login credentials or disable the DWS entirely, perform the player setup process.

Warning

Important

Firmware versions before 6.2.147.9 have a cross-site scripting vulnerability and a permissions issue that allowed authorized users to view hidden storage directories (see this post for full details). These vulnerabilities are catalogued as CVE-2017-17737, -17738, and -17739. We recommend updating to the current version of production firmware to patch these vulnerabilities.

...

Other network settings that are configurable during the player setup process—such as proxy setup, wireless configuration, DHCP vs. manual IP—do not negatively affect the security of a player.

...

For a full description of all the options in the Unit Setup window, please see the Setting up BrightSign Players section.

...

High Security

Follow these steps during the BrightAuthor unit setup process to ensure the player has a high level of resilience to outside attacks.

...

Follow these steps during the BrightAuthor unit setup process to ensure the player has a basic level of protection against outside attacks.

...

Diagnostic Web Server (DWS) password protection doesn't apply to added roHttpServer instances that are located on a different port.

  1. Enable the Diagnostic Web Server with password protection: Access to the Diagnostic Web Server allows you to copy, rename, and delete contents from the local storage, as well as reboot the player or force it into recovery mode. Enabling password protection for this feature gives the player at least a basic level of security.

  2. Do not use Local File Networking: A player set up for Local File Networking will listen for scheduling and publishing commands from a PC running BrightAuthor on the local network. It may be possible for an attacker to use this responsiveness to gain access to system processes on the player. If you would like to publish presentations over the network, use the BrightSign Network or a Simple File Network instead.

  3. Do not enable basic authentication: If you would like to securely publish content using Simple File Networking, make sure to use a server that is compatible with digest access authentication.

  4. Do not enable the Chromium Web Inspector: See the Advanced Topics section below for more details.

...

You can use the Web Inspector to debug webpages on the BrightSign Chromium instance (see the HTML Best Practices page for more details). This tool does not require authentication, so any party on the network can access and alter content on the BrightSign player; therefore, the Web Inspector should be disabled in production environments.

Linux Security

Though the BrightSign application runs on a Linux stack, it is unlikely that conventional Linux malware will be able to infect BrightSign players. A BrightSign player will only execute a firmware image that has been cryptographically signed by BrightSign. Also, during normal operation, the filesystem used on the player is read-only.

...