Modena Hub security and privacy
Modena is an intrinsically secure system. This article goes over the guidelines and recommended settings to ensure security and privacy are guaranteed at all times.
Admin password
It is important to reconfigure Modena's admin password away from its factory default in order to help ensure that only the correct system administrator(s) can access the system's configuration options.
Instructions for navigating to the web admin page can be found here. The default password is "admin" (note: some Modena units, if restored to older 1.x firmware versions, may have the default password "password").
The new password must adhere to the following rules:
- 5-48 characters long
- Uppercase and lowercase letters, numbers, underscore, and dash are permitted
- Special characters and spaces are not permitted
Secure Boot
Modena devices implement a Unified Extensible Firmware Interface (UEFI) Secure Boot protocol, which secures the boot process by preventing the loading of drivers or OS loaders that are not signed with Biamp's digital signature. This architecture protects the unit against the installation and execution of malware.
Encryption
App encryption
All video and audio streams between Modena units and connected Modena app clients are encrypted with an AES 128 algorithm. This prevents the use of network sniffer tools to capture or extract any data flowing over the network between Modena and its clients.
HTTPS encryption
Users can connect to a Modena session via a web browser thanks to WebRTC technology. When doing so, the connection between Modena and any connected clients makes use of the HTTPS encrypted protocol. This prevents the use of network sniffer tools to capture or extract any data flowing over the network between Modena and its clients.
The HTTPS connection relies on a security certificate supplied by the Modena unit. By default, this is a self-signed certificate, rather than one issued by a certification authority. This means that, when first connecting, the web browser will likely display a warning page that alerts the user there is a possible security breach. This can be bypassed by selecting the Advanced options on the warning page and choosing to Proceed.
To avoid users receiving this warning page, the default self-signed certificate can be replaced with a custom HTTPS certificate from an official certification authority. More details on this can be found here.
Room security
Room sessions have 4 security levels, that can be set on the Room configuration page of the web admin:
- No passcode
- Passcode protection (this is the default setting)
- Passcode for the first participant
- Personal room
These are described in further detail in the below sections.
No passcode
Anyone is permitted to join the room session via the Modena app without needing to enter a passcode and will be able to receive presentation content on their device.
Passcode protection
A passcode is required for all participants after the first participant joining the room session.
When the first participant starts the room session, Modena will automatically generate a random 4-digit number as the passcode. All participants joining after this person will need to enter the passcode in order to join the session.
Force passcode requests to the first participant
All participants, including the first participant to join a room session, must enter a passcode. The randomly-generated 4-digit passcode will be output locally via HDMI to any connected projector/monitor (note that there is no other way for the first participant to know the passcode and initiate the room session). This passcode will be changed at regular intervals when the system is idle, as well as immediately when a room session is ended.
The purpose of this mode is to prevent a user from inadvertently beginning a session and sharing content from their device, especially if they are not in the room hosting the Modena system.
Personal room
In this mode, Modena will generate a random 8-digit personal room code. In order to connect to the room, users will need to add this 8-digit code to their list of Personal Rooms in the configuration settings of their Modena app.
When the first participant initiates the room session, the room will become visible to any participants who have the room code added to their Modena app, and they can then connect to the room using its 4-digit passcode.
The purpose of this mode is to add an additional level of security for certain rooms, as well as to allow for them to be reserved for certain users.
Local WiFi access point password (Modena Hub+ only)
The local WiFi access point of the Modena Hub+ is protected using the WPA2 standard. It is strongly recommended that this password be changed from its default settings, which are as follows:
Security: WPA2
SSID: modenahub
Password: modenahub
The password must be between 8 and 63 characters.
Additional details about accessing the built-in WiFi access point can be found here.
Web admin settings
From the web admin page, the administrator can configure visibility of the SSID and password for connecting to a Modena Hub+'s built-in WiFi access point.
The two available options are as follows:
- "Show SSID password in status"
- When this option is selected, the SSID and password will be shown as part of the web admin page's general status information.
- "Show SSID password in welcome screen"
- When this option is selected, the SSID and password will be output via HDMI to any locally connected display monitor or projector.
- Note that enabling this setting will allow any guests in the room where Modena is installed to potentially connect to the system.
WiFi sharing modes (Modena Hub+ only)
When configured in dual-network mode, meaning both the wired connection and built-in WiFi access point are enabled, a Modena Hub+ offers some degree of flexibility and can be configured for a more isolated, secure system or a more open, accessible system. Details of the different available configuration settings and what they mean for system security and accessibility can be found here.
Firewall Configuration
When Modena is connected to a corporate LAN via its wired network interface, the corporate firewall needs to allow Modena access to the following ports:
- TCP 80: Web GUI HTTP and firmware updates (external)
- TCP 443: Web GUI HTTPS and firmware updates (external)
- UDP 123: NTP service (external)
- UDP 5353: Zeroconf Service (to reach Modena through mDNS, e.g. "device_name.local")
- TCP 8443: Modena apps communication
- UDP 6000: Modena discovery service
- TCP 7000-7200: Room client video streams
- UDP 20000-40000: WebApp WebRTC
802.1x
IEEE standard 802.1x is a network protocol that enables security authentication to protect corporate LAN and WLAN. Modena Hub supports this standard and acts as a trusted supplicant when connecting to a network authentication server. Supported protocols are:
- EAP-MD5
- EAP-TLS
- EAP-PEAP/MSCHAPv2
- EAP-FAST
- EAP-TTLS/EAP-MSCHAPv2
Rogue detection (Modena Hub+ only)
On some corporate networks with active Rogue AP Detection, connecting a new unknown access point such as Modena can be seen as a security breach and raise a Rogue Detection alarm. This may also result in the network connection to the access point (i.e., Modena) being disabled.
It is important to communicate with the local IT manager before adding Modena or any other devices to the corporate LAN to prevent false alarms and ensure full functionality of the system.
Physically locating Modena
The flash memory inside a Modena unit is encrypted, so there is no significant risk of a data breach when placing the unit in an unprotected location.
To prevent theft of the physical Modena unit, consider an appropriate mounting solution that makes Modena hard to remove, such as a hidden VESA mounting system behind a display monitor.