The shift from SDI to IP-based infrastructures has introduced significant security challenges for the broadcast industry, as media systems using commercially available off-the-shelf (COTS) IT products now face similar risks as IT networks. This study assessed the security of 44 different media systems, including production cameras, IP converters, and PTP grandmaster clocks, through automated vulnerability scanning, manual penetration testing, and firmware analysis. We identified 18 critical or high-severity vulnerabilities (CVSS score above 7.5) in 15 products from 10 vendors, indicating that at least one-third of media systems have serious security flaws that could jeopardize entire broadcast networks. Our findings revealed that vendors lacked a documented vulnerability disclosure policy, with only four fixing issues within three months and none following the standard CVE process. Additionally, we discovered 18 CVE entries for broadcast products linked to non-vendor domains, suggesting a gap in vulnerability management practices. This highlights the need for improved security protocols and transparency in the industry.
At least one third of the media systems in our tests contained a serious security vulnerability that could jeopardize the entire broadcast facility. Media system vendors must put in place a detailed vulnerability management procedure that meets industry standards and best-practices. They should also regularly assess the security of their products. The media industry needs to step up their game in this area. Manufacturers, suppliers and users must learn from and adopt the IT industry’s well-established best practices. We propose the introduction of a broadcast-scoped CNA to act as a public point of contact and gateway to ensure the correct handling of vulnerabilities.