Versions Compared

Old Version 16

changes.mady.by.user BrightSign TechDocs

Saved on

compared with

New Version 17

changes.mady.by.user BrightSign TechDocs

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Panel
borderColor#3D3D3D
bgColor#F4F4F4
titleColor#3D3D3D
borderWidth0
titleBGColor#3D3D3D
borderStylesolid

ON THIS PAGE

Table of Contents
indent20px

...

  1. Disable the Diagnostic Web Server: The password-authentication system for the Diagnostic Web Server is vulnerable to brute-force dictionary attacks. Access to the Diagnostic Web Server allows an intruder to copy, rename, and delete contents from the local storage, as well as reboot the player or force it into recovery mode.
  2. Enable the Local Web Server with password protection: The authentication system for the Local Web Server is just as vulnerable to brute-force hacking as the Diagnostic Web Server, but the Local Web Server does not grant access to critical system processes.
  3. Do not use Local File Networking: A player set up for Local File Networking will listen for scheduling and publishing commands from a PC running BrightAuthor on the local network. It may be possible for an attacker to use this responsiveness to gain access to system processes on the player. If you would like to publish presentations over the network, use the BrightSign Network or a Simple File Network instead.
  4. Do not enable basic authentication: If you would like to securely publish content using Simple File Networking, make sure to use a server that is compatible with digest access authentication.
  5. Do not enable the Chromium Web Inspector: See the Advanced Topics section below for more details.

Basic Security

Follow these steps during the BrightAuthor unit setup process to ensure the player has basic level of protection against outside attacks.

  1. Enable the Diagnostic Web Server with password protection: Access to the Diagnostic Web Server allows you to copy, rename, and delete contents from the local storage, as well as reboot the player or force it into recovery mode. Enabling password protection for this feature gives the player at least a basic level of security.
  2. Do not use Local File Networking: A player set up for Local File Networking will listen for scheduling and publishing commands from a PC running BrightAuthor on the local network. It may be possible for an attacker to use this responsiveness to gain access to system processes on the player. If you would like to publish presentations over the network, use the BrightSign Network or a Simple File Network instead.
  3. Do not enable basic authentication: If you would like to securely publish content using Simple File Networking, make sure to use a server that is compatible with digest access authentication.
  4. Do not enable the Chromium Web Inspector: See the Advanced Topics section below for more details.

Test Environment: Low Security

...

  1. Enable the Diagnostic Web Server: Without password protection, the Diagnostic Web Server will be accessible by anyone on the local network at the player IP address.
  2. Enable the Local Web Server: Anyone on the local network will be able to access the device webpage at port 8008.
  3. Use Local File Networking: You will be able to use BrightAuthor to publish presentations and update schedules on a player connected to the local network.
  4. Enable basic authentication: If you are using Simple File Networking, you can enable basic authentication to have the player send the user name and password credentials to the server as plaintext data. This makes Simple File Networking compatible with a greater range of server configurations.
  5. Enable Chromium Web Inspector: If you need to debug HTML applications on BrightSign players, you can enable the Web Inspector in a presentation. See the Advanced Topics section below for more details.

Advanced Topics 
Anchor
advanced_topics
advanced_topics

...

You can use the Web Inspector to debug webpages on the BrightSign Chromium instance (see the HTML Best Practices page for more details). This tool does not require authentication, so any party on the network can access and alter content on the BrightSign player; therefore, the Web Inspector should be disabled in production environments.

Linux Security

Though the BrightSign application runs on a Linux stack, it is unlikely that conventional Linux malware will be able to infect BrightSign players. A BrightSign player will only execute a firmware image that has been cryptographically signed by BrightSign. Also, during normal operation, the filesystem used on the player is read-only.

...