This Blog has Moved!

This blog is moving to


Thank you for visiting! Content will remain here for archival purposes.

BenQ InstaShow - Security Done Right

The Concept

At a local small business incubator near where I live, a local municipal government spent thousands of dollars on a wired presentation system with multiple HDMI wall jacks and a surround sound speaker system. The system is brand new, state of the art, all controlled through an infrared remote to switch between wall jacks. The problem? Guests don’t know how the system works, so they walk up to the big screen TV used for presentations, unhook the presentation system, and connect their laptop directly to the TV with an HDMI cable. After they’re finished, they hook the presentation system back up. Sadly that several thousand dollar presentation system sits unused, not because it doesn’t work, but because nobody knows how it works, so they bypass it completely.

The concept behind the BenQ InstaShow (paid link) is a very simple “hardware only” solution to wirelessly presenting your computer screen. The InstaShow can be connected to any projector or big screen TV which supports a HDMI input, providing wireless transmission of video and audio. Being able to present wirelessly is extremely important for conference and meeting rooms, especially if those rooms are frequently used by guest presenters. Full specs are available on the BenQ website.

The simplicity of the InstaShow is what really sets it apart from other presentation systems. When you turn on the host unit and TV or projector, you’re stepped through on the screen how to connect the system to your laptop and begin presenting. No fumbling through manuals, no waiting for the IT department to come assist, and no installing drivers or software. The InstaShow is true plug-and-play as it was meant to be.

Why a Hardware Solution Matters

Most wireless presentation systems require the user to install software, and connect to a WiFi network. This opens the presenter laptop to attacks from not only other devices on the same network, but to vulnerabilities within the presentation software. Often times presenters won’t even be able to install the software, as their IT department has secured their device to prevent modifications, which is in accordance with security best practices. By using a hardware only solution, BenQ is avoiding this problem completely.

Something really important to mention is “app creep”. We’re all guilty of this - we install an application on our laptop or phone, use the application once, and then it just sits there. The biggest problem with app creep isn’t that it’s just wasted space on our devices, but these apps typically don’t get security updates, making your device more vulnerable to attack. By making InstaShow a hardware solution, BenQ is helping to reduce app creep on our devices. Other manufacturers please take note; no I don’t want to install your app!

Attack Surface

I was very impressed with the minimal attack surface of the InstaShow. The InstaShow features two 5GHz wireless networks - one management network and one network used by the transmitter.

Both networks use WPA2 with 128-bit encryption - which is typically the best available at the time of writing this review.

I used a “black box” approach to analyzing the InstaShow. Scans using OpenVAS came back extremely clean, with only 3 medium findings and 1 low finding. Most network devices, such as printers or routers, will typically have many more findings, so that’s impressive. Below is an overview of the findings.



Telnet Unencrypted Cleartext Login (Medium) - This is a pretty common finding for network devices. We don’t have a telnet login, so while this port does increase the potential attack surface, the risk is pretty low.

Cleartext Transmission of Sensitive Information via HTTP (Medium) - This shows up twice, once for port 80 and once for port 8080.  Both ports lead to the same Web UI management interface for configuring the InstaShow. Obviously implementing a SSL certificate isn’t really feasible, and this is no different than common router configuration interfaces.

TCP Timestamps (Low) - This low vulnerability is due to the implementation of RFC1323, which timestamps all TCP packets from the management IP. This allows an attacker to determine the host’s uptime.  Ultimately not very useful, unless an attacker wants to know how long your presentation has lasted.

Best of all, these vulnerabilities can be protected against by simply not connecting the InstaShow to a corporate LAN, as well as disabling the WiFi management network in the interface. More on hardening later in this review.


Default Passwords

The management network has a default password which matches the network name.  So for example, if the management network has a SSID of WDC10_12345, then the password will be WDC10_12345.  Once connected to the management network, the user can use their web browser to visit 192.168.168.2, and enter the default username and password of “admin”/”0000”.

The InstaShow also has an option to connect to a wired network using an Ethernet port. The InstaShow assigns itself an IP address via DHCP. Once again, the configuration settings can be accessed with the default username and password of “admin”/”0000”. Just like security best practices for everything else, these passwords should be changed from their defaults.


Attack Scenario - Attacking the WiFi Management Network

The most likely attack carried out against the InstaShow will be attacking the WiFi management network. For the purposes of this attack, we’ll assume the InstaShow has been plugged into a corporate LAN, as well as the WiFi management network enabled. We’ll also assume that the InstaShow is using default usernames and passwords.

Step 1: Attacker connects to the InstaShow WiFi network using the default password.
Following security best practices, this shouldn’t happen. However, in security the user is always the weakest link, and sometimes we forget to lock down our devices.

Step 2: Attacker runs an IP address scan using nmap. This scan returns the management IP address at 192.168.168.2.

Step 3: Attacker attempts to traverse the network into the corporate LAN.
This attempt fails, as the InstaShow isolates the WiFi management network from any wired network.

Step 4: Attacker attempts to use packet sniffing to view current presentation.
This attempt fails, as the InstaShow transmits the HDMI signal over a separate WiFi SSID.


Step 5: Attacker connects to the InstaShow Web UI using the default username and password.
Once again, following security best practices this shouldn’t happen, but for the purposes of this attack let’s assume the user once again forgot to change the defaults.
Once in the management Web UI, the attacker is very limited in what they can do. There is no option to change the password for the presentation network, and no option to access the corporate LAN. They can see the DHCP IP address assigned to the device on the corporate LAN, and they can disrupt any in-progress presentation by resetting the InstaShow. Neither of these options have the potential to leak any sensitive corporate information, nor do these options allow the attacker to infect the network with malware.

Overall this is a very secure implementation, which even helps compensate for user error.

Hardening the InstaShow

While the InstaShow is pretty secure by default, there are a few steps the user can take to make it more secure. Detailed steps for each of these items are available in the User’s Manual, which is available on BenQ’s website.

1) Disable WiFi Management Network
By disabling the WiFi Management Network, you remove the ability of external attackers gaining access to your device.  Disabling the WiFi Management Network is very easy, just go to “Wireless Network”, choose “Disable”, and click “Apply”.





2) Change the default admin password.
By changing the default admin password, anyone with direct physical access to the device will be unable to login to the management Web UI.




3) Unplug the InstaShow from the LAN when not being configured.
Once you’ve setup the InstaShow, there’s very little reason to leave it plugged in to the corporate LAN. By unplugging it completely, when combined with the above hardening steps, the attack surface is reduced to only the WiFi network used for transmitting presentations. This wireless network is only going to be compromised if someone cracks the WPA2 wifi key. If someone has the capability of cracking the WPA2 key, then they will most likely have already compromised the rest of your corporate wireless networks, and compromising this device will be of negligible impact. Ideally, the InstaShow should only be configured through a direct ethernet cable to a laptop, and never connected to the corporate LAN.

4) Offer a USB plug adapter for the HDMI version of the InstaShow.
While the InstaShow is designed to run off the power of a USB port, some users may be uneasy about plugging in a USB device into their laptop - and rightfully so, as USB devices can be used to perform attacks against a computer when mounted as a USB disk drive. Fortunately the HDMI version of the InstaShow itself does not transmit or receive any data over USB, and only uses USB to power the transmitter for the HDMI signal. To make security-conscious users feel a bit more at ease about using the InstaShow, a USB extension cable and USB power adapter could be used, so that only the HDMI cable will need to be connected.


Device Performance and Quality

Of course, if security impedes a user from getting their work done, that security is worthless. At the end of the day what really matters is that users can still perform their work without being interrupted or blocked by security measures.

The InstaShow has two display modes: presentation and video. Presentation provides a slightly better picture quality with a lower refresh rate, while video provides a better refresh rate with a slightly lower picture quality. Honestly, I couldn’t tell much difference at all with picture quality set to video, as the image still seemed crystal clear. I was able to stream several videos from YouTube without issue. Audio and video synced perfectly, and were very clear.

Keeping in mind that the InstaShow wasn’t designed for video gaming, I decided to test its limits. I tried several different PC games, and was able to play without any issue whatsoever. I did notice some very very slight input lag, but we’re talking milliseconds. For the casual gamer like me, it won’t make a difference, but of course gamers whole play a lot of first person shooters will want to probably stick to wired connection, since those milliseconds can be life or death. So if you’re doing something like fighting for Azeroth or launching Kerbals to explore the stars, this would let you very easily connect to the big screen or home theatre without wires, and still provide an enjoyable gaming experience.

Summary

Unfortunately in today’s world, despite all of the cyber threats out there, security is often “tacked on” at the end of a project as an afterthought. I’m extremely impressed with the InstaShow, in that it was clearly designed from the beginning with security in mind. As a cyber security professional, I hear a lot that security is a hassle, cumbersome, or prevents work. The InstaShow is proof that properly designed and integrated security is none of those things, as long as you properly integrate security from the beginning. I’ve seen cyber security done right, and cyber security gone horribly wrong. The InstaShow is security done right and keeps the user experience simple, while still keeping your sensitive data secure.

The BenQ InstaShow is available on Amazon (paid link) as well as retailers such as Office Depot.

About Me: Ken is a cyber security professional with over 12 years experience. He specializes in security evaluations and continuous monitoring of corporate and federal environments. This review is my own personal opinion, and does not reflect the opinions of my employer or clients. As an Amazon Associate I earn from qualifying purchases when using a paid affiliate link above.


Space Weather Outlook March 24, 2019 at 09:35PM

Official Space Weather Advisory issued by NOAA Space Weather Prediction Center Boulder, Colorado, USA SPACE WEATHER ADVISORY OUTLOOK #19-12 2019 March 24 at 7:15 p.m. MDT (2019 March 25 0115 UTC) **** SPACE WEATHER OUTLOOK **** Summary For March 18-24 No space weather events were observed during the summary period. Outlook For March 25-31 No space weather events are expected during the outlook period. Data used to provide space weather services are contributed by NOAA, USAF, NASA, NSF, USGS, the International Space Environment Services and other observatories, universities, and institutions. More information is available at SWPC's Web site http://swpc.noaa.gov Thank you for using the Product Subscription Service. If you would like to remove a product subscription or update the personal information in your account, go to the Product Subscription Site. Please do not use the from address for correspondence, as it is not monitored. For comments or help, please contact SWPC Help.

Space Weather Outlook March 17, 2019 at 11:55PM

Official Space Weather Advisory issued by NOAA Space Weather Prediction Center Boulder, Colorado, USA SPACE WEATHER ADVISORY OUTLOOK #19-11 2019 March 17 at 9:35 p.m. MDT (2019 March 18 0335 UTC) **** SPACE WEATHER OUTLOOK **** Summary For March 11-17 G1 (Minor) geomagnetic storm conditions were observed on 17 Mar. No other space weather storms were observed during the summary period. Outlook For March 18-24 No space weather storms are expected during the outlook period. Data used to provide space weather services are contributed by NOAA, USAF, NASA, NSF, USGS, the International Space Environment Services and other observatories, universities, and institutions. More information is available at SWPC's Web site http://swpc.noaa.gov Thank you for using the Product Subscription Service. If you would like to remove a product subscription or update the personal information in your account, go to the Product Subscription Site. Please do not use the from address for correspondence, as it is not monitored. For comments or help, please contact SWPC Help.