Security
Report a Vulnerability

Security at Crestron

Thousands of companies across hundreds of industries, government agencies, universities, and more have standardized on Crestron products. They trust and rely on Crestron to make their lives simpler and work/ education environments secure. Central to that success is Crestron's unwavering commitment to network security. Simply put, "If it's on the network, it must be secure." Clients need to know who and what is on their network.

Our Process

A secure system, of course, doesn't just happen. There are large number of considerations that need to be accounted for throughout the development process. Crestron allocates and dedicates resources to define the problem spaces and document the appropriate solutions.

Step 1 - Identifying risks that are applicable to the systems and identifying assumptions about the operating environment.

Step 2 - All source code is reviewed to ensure not only proper functionality, but also conformance to security guidelines.

Step 3 - Source code is subjected to scans using automated tools that review code for common errors and security holes.

Step 4 - A rigorous testing process is in place once the software/firmware is compiled and loaded into systems. Each night, the latest code is built and automated tests are run to ensure system stability. Included in these tests are standard network scanning tools to ensure there are no unauthorized ports, etc. which have been open.

Providing network security at the product level.

Enterprise IT departments categorize devices that don't support these features as a security risk.

  • AES Encryption - Ensures secure transmissions. The same protocol banks use to protect transactions on the Internet.
  • 802.1x Authentication - Ensures that every device on the network is explicitly authorized by the IT department.
  • Active Directory® - Centralized credential management ensures that only authorized users gain access.
  • NIAP & JITC Certifications - Crestron products have received approval by the Joint Interoperability Test Command (JITC) of the U.S. Department of Defense Information Systems Agency (DISA) and have been added to the Unified Capabilities (UC) Approved Products List (APL). Additionally, Crestron offers products that are NIAP/Common Criteria certified, ensuring they meet rigorous security standards.
  • PKI Authentication - Required when simple passwords are inadequate to confirm the identity of the parties involved in a particular action or communication, and to validate the information being transferred.
  • TLS - The most widely used security protocol, TLS provides privacy and data integrity between two applications communicating over a network.
  • SSH Network Protocol - Encrypts and protects communications, whereas Telnet, used in other Network AV products, does not.
  • HTTPS - The secure version of HTTP, HTTPS encrypts the data sent between your web browser and the website you're connected to, ensuring the privacy and integrity of the exchanged data. The "S" at the end of HTTPS stands for "Secure."
  • Secure CIP - Ensures communications between Crestron control processors and DM NVX devices are secure.

Resources & Documentation

Updated: 11/25/2024

The documents below describe in-depth the steps needed to secure a Crestron installation. These documents assume the reader has a basic understanding of security functions and protocols.

Security Reference Guide: DGE-1000
Security Reference Guide: IV-SAM-VX2 Series
Security Reference Guide: ZUM-HUB4
Security Reference Guide: TSS-470E
Security Reference Guide: TST-1080
Security Reference Guide: IV-SAM-VXN-1B, IV-SAM-VXP-1B, and IV-SAM-VXS-1B
Security Reference Guide: TS-70 and TSW-70 Series Touch Screens
Security Reference Guide: HTML5 Web XPanel
Security Reference Guide: Crestron Fusion® Cloud Service Software Application
Security Reference Guide: Crestron Residential Systems
Security Reference Guide: DM NVX® and DM NAX® AV-over-IP Distribution Systems
Security Reference Guide: 3-Series® Control Systems
Security Reference Guide: Crestron System Architecture
Security Reference Guide: Crestron Touch Screens
Security Reference Guide: Crestron XiO Cloud® Service
Security Reference Guide: SSL Multi-Domain Certificate and 3-Series
Security Reference Guide: IP Guidelines for the IT Professional
Security Reference Guide: AirMedia® Presentation Gateway Deployment
Security Reference Guide: Crestron Flex UC-ENGINE
Security Reference Guide: Crestron Flex Care Cloud Connect Service
Security Reference Guide: 4-Series® Control Systems
Security Reference Guide: Crestron Flex Phones
Security Reference Guide: Crestron Go App
Security Reference Guide: Crestron Virtual Control Server Software

Crestron Toolbox Help Files

Security Audit Tool
Authentication
SSL Management
802.1X / Certificate Deployment

MyCrestron.com

Dynamic DNS Service

Support

Crestron Support Center
Report a Product Vulnerability
Control Subnet - Getting Started & NAT / Port Mapping (OLH 1000110; 6/26/18)
Enable Authentication Example Script

Additional Resources

JITC Certified Products
Compliance Documentation
Accessibility Conformance Information

Security Advisories

Vulnerability:

CVE-2022-3602: X.509 Certificate Buffer Overflow (OpenSSL)

Updated Date:

11/18/2022 12:00:00 AM

Threat:

OpenSSL has discovered a vulnerability where an attacker can use a malicious email address to send a specifically constructed certificate to an application. The application receiving the certificate will overwrite memory and crash. This can lead to a denial of service, or allow the attacker to gain remote control over the affected system.

Identifier:

This vulnerability has been classified as CVE-2022-3602 and CVE-2022-3786

How is Crestron Affected:

This vulnerability affects the UC-Engine product line on version 1.00.22.766. Crestron is planning a release, version 1.00.22.786, to fix this issue.

Note: The affected version was never available via Windows Update. It was only possible through XiO Cloud and Crestron Customer Support. Version 1.00.22.786 will be available via XiO Cloud and Crestron Support on Monday, December 12th and will be available as a Windows Update later on.

Resources: