Security concerns with Rise Vision

Answered

Comments

6 comments

  • Avatar
    Robb Price
    Hi there Laboratorio,

    Your content is secure in the sense that Rise Vision relies on Google's authentication method, and we store all information on Google's infrastructure. It is not indexed by search engines, HOWEVER, Displays are not authenticated, so if a user knows the Display ID, and how to build a URL using that Display ID, they could see what content is playing on that Display ID.

    Display ID's are random strings which are basically impossible to guess, so if someone does not know the Display ID, they won't be able to access anything.


    No public information is editable, you need to be authenticated in Rise Vision to edit any information.

    Does that help?
  • Avatar
    Mike Thomas
    Hello David,

    The incident you linked was likely the result of a TeamViewer Remote Management window left in front of the Presentation, making the machine's TeamViewer ID available for anyone within visual range of the billboard. This oversight enabled the digital signage media player to be exposed to outside influence. 

    Our Editor, and the other apps provided at https://apps.risevision.com, run on Google Cloud Platform which has many security certifications. You can read more about them here, https://cloud.google.com/security/compliance

    As Robb mentions above, accessing https://apps.risevision.com requires a user authenticate using Google authentication. For additional security, an organization or individual can enable 2-step authentication. You can read more about 2-step authentication and how to enable it here, https://www.google.com/landing/2step/.
  • Avatar
    David Alonso
    From the other point of view, how secure is RiseVision platform to protect published content, given incidents like these:
    http://www.bbc.com/news/uk-wales-south-east-wales-40802887

    Some prospects are very reluctant to buy digital signage from integrators that have no control over the security of their publishing platform (i.e. cloud-based). What argument can we use to give our concerned prospects some peace of mind on this?

    Thanks,
  • Avatar
    Jeff Schroeder

    Are there plans to enable TLS encryption on Display sessions? 

    I understand this might be challenging to accomplish with embedded content pointing elsewhere on the web (e.g., YouTube, external Image URLs).  However, I think it would be worthwhile to provide a more secure option even if there are some drawbacks to functionality.  We should have an option to securely expose a tenant (and its storage contents) to approved displays.  In the short run, it should be straightforward to offer this option for customers that pay for storage.

    I think this could take the form of creating RiseVision accounts for Display clients.  Displays would then authenticate into the RiseVision to access the content.  Down the road, you could build out APIs for customers to leverage their identity management tools to manage the security of their display nodes.  Google and Okta have authentication tools that could be easily embedded into the product.

  • Avatar
    Ray Durkin

    Hi Jeff,

    Thanks for asking!  At this time, TLS encryption is not something we are working to implement.  However, we appreciate the idea and it's been noted.  Our improvements are largely driven by the feedback we get here, so thank you again for asking.   It will be interesting to see how many other folks would like to see the same thing.

  • Avatar
    Cu24nl

    You (somewhat) can use SSL security with RiseVision 

    • Build a Webdav server on IIS. Enable Basic Authentication
    • Use a valid certificate
    • Create a Windows user with read access to the IIS virtual folder
    • In your presentation use https://user:password@youriis.server.abc links for your private content.

     

     

     

     

     

     

     

Please sign in to leave a comment.