Transcription
SECURITY & PRIVACYIN LOGITECH VIDEOCOLLABORATION DEVICESRALLY BAR, RALLY BAR MINI, AND ROOMMATE1
INTRODUCTIONThe following whitepaper describes our approach to securityand privacy for Logitech Rally Bar, Logitech Rally Bar Mini,and Logitech RoomMate.Logitech, a world leader in products that connect peopleto the digital experiences they care about, offers a rangeof collaboration tools that are easy to use with virtually anyapplication almost anywhere.Rally Bar and Rally Bar Mini are Logitech’s premier all-inone video bars for medium and small meeting rooms. Withbrilliant optics, powerful audio, and AI-driven performance,these conference cameras set a new standard for videocollaboration. Both can be deployed at scale in USB orappliance mode, with exceptional flexibility and ease.SECURITY & PRIVACY IN LOGITECHVIDEO COLLABORATION DEVICESbased on Android 10, which provides best-in-class security,privacy, and performance. In these areas, Android 10 isa significant improvement over previous versions of theAndroid operating system.These Logitech products have been developed using asecure development lifecycle that follows industry bestpractices during product design, development, and fielding.We meet or exceed security expectations by building insecurity from the earliest design phases. That includesa product design review by a Security Review Boardcomposed of security experts from across the organization.We rigorously verify the security of systems and softwareduring development and testing. And we follow STRIDE,the industry standard for classifying security threats.With Rally Bar, Rally Bar Mini, and RoomMate, security andprivacy are critical aspects of product design. They are all1
INFORMATION SECURITYSECURE DEVELOPMENT LIFECYCLE(SDLC)Rally Bar, Rally Bar Mini, and RoomMate were developedfollowing best practices for a secure development lifecycle.The SDLC has security review gates at each stage of systemdevelopment – design, implementation, and release. Duringthe design phase all design documents are reviewed byinternal and external experts in security.The implementation phase has both automated andhuman reviews of the code produced by the developmentteam. Static analysis is performed on all source code,with any resulting issues flagged and reviewed by thedevelopment team and security specialists.All software development for Rally Bar, Rally Bar Mini, andRoomMate follows industry standards, including but notlimited to the following: Android Secure Coding Standard SEI CERT Oracle Coding Standard for Java SEI CERT C Coding Standard SEI CERT C Coding StandardBefore software is released, it is run through a thorough setof tests for both functionality and security. System updatesand new releases also follow the SDLC, and software in thefield is maintained and updated with any necessary securitypatches for issues discovered between major releases.SECURITY & PRIVACY IN LOGITECHVIDEO COLLABORATION DEVICESSECURITY AND PRIVACY BY DESIGNRally Bar, Rally Bar Mini, and RoomMate include securityand privacy designed in – from the start of productdevelopment through implementation, release, andupdates.What follows is a non-exhaustive list of the steps we taketo strengthen the security of these devices: Start with a strong foundation: As a baseline,the platform is based on Android 10, which includesenhanced security and stability. Avoid universal default passwords: Rally Bar,Rally Bar Mini, and RoomMate follow industry bestpractices and California state law in never having auniversal default password. The devices have no defaultpassword. Keep software updated: “Over the air” softwareupdates are used to keep the software for Rally Bar,Rally Bar Mini, and RoomMate constantly up to datewith the latest release. Maintain software integrity: All software images areencrypted and digitally signed during production. RallyBar, Rally Bar Mini and RoomMate verify the signatureof each software image before installing or upgradingthe software, thereby maintaining its integrity andauthenticity. Communicate securely: All communications betweenRally Bar/Rally Bar Mini/RoomMate and the cloud takeplace using Transport Level Security (TLS). Applicationsrunning on the platform may use similar or additionalforms of communication. We advise you to check withapp service providers regarding their security protocols. Protect personal data: While Rally Bar, Rally Bar Mini,and RoomMate do not contain or store personallyidentifiable information on the device, video serviceproviders may store Personally Identifiable Information(PII) within their apps. We advise you to check withservice providers regarding their PII policy.2
INFORMATION SECURITYDEVICE APPLICATION SECURITYRally Bar, Rally Bar Mini, and RoomMate contain severalapplications that are used in day-to-day operation.Securing the device requires that Logitech carefully managethe applications that reside on the device.Through the process of application whitelisting, we cancontrol exactly which applications are allowed to be utilized.As part of securing the software before it is shipped, wealso remove or disable non-essential apps, services, anddevice drivers, thereby reducing the attack surface. RallyBar and Rally Bar Mini utilize the built-in SELinux Policies, acomponent of the Android system.HARDWARE SECURITYThe hardware components of the Rally Bar, Rally Bar Mini,and RoomMate are equipped with several features thatenhance the security of the device. A trust enclave is usedto protect any required secrets or keys on the device. Thehardware utilizes secure boot to verify the validity of bootsoftware and system firmware, which were signed duringproduction. A hardware-based anti-rollback feature isenabled to prevent an updated system from being revertedto an earlier, and possibly less secure, set of software.Physical security is further enhanced with tamper-evidentand resistant covers for the hardware ports.SECURITY VALIDATIONInternal quality assurance processes utilize softwarecomponent security test suites to check each softwarerelease for security vulnerabilities. Software cannot bereleased until it clears the test suite gate.FIREWALL RULES - PORT FILTERING/BLOCKINGSECURITY & PRIVACY IN LOGITECHVIDEO COLLABORATION DEVICESEXTERNAL DEVICE INDICATORS FORRECORDING AND PRIVACYAll recording devices that are part of Rally Bar, Rally BarMini, and RoomMate, including microphones and cameras,have clear indicators when they are in use. Rally Bar andRally Bar Mini are shipped with lens caps for the conferencecameras.APPLICATION SANDBOXINGApplications are prevented from interfering with eachother on the platform via the use of built-in applicationsandboxing. Each application and its data is givenits own space in which to work and is restricted fromcommunicating or interfering with the execution of otherapplications, including the ability to read and write datawhich is kept in the per application sandbox.SECURING DATA - ENCRYPTED STORAGEHardware-level encrypted storage is used to store all dataon Rally Bar, Rally Bar Mini, and RoomMate.BACKEND DATA SECURITYCommunication between Rally Bar/Rally Bar Mini/RoomMate and Logitech back end systems that supportthem, including over the air updates, are carried out overencrypted channels using Transport Layer Security (TLS)which provides both an encryption of data in transit andauthentication of the system with which the device iscommunicating.We leverage Amazon’s Internet of Things (IoT) frameworkand infrastructure to enable secure communicationbetween the device and the backend as well as securingdata at rest in the cloud.Rally Bar, Rally Bar Mini, and RoomMate implement theirown firewall rules to effect port filtering and blocking,thereby reducing the attack surface which is exposed tothe network.3
VULNERABILITY AND RISK MANAGEMENTWe actively monitor the security of our products andprovide timely updates to address any known vulnerabilities.INCIDENT RESPONSELogitech welcomes customers as well as securityresearchers to report issues found in our products so thatthey may be addressed in the field. We participate in apublic bug bounty program by which researchers can helpto improve the security of our products by reporting issuesthey find and receiving credit for their discoveries. Logitechgives appropriate credit to responsible reporters of securityincidents that are found to be valid and actionable.SECURITY & PRIVACY IN LOGITECHVIDEO COLLABORATION DEVICESADDITIONAL RESOURCESTo learn more about Rally Bar, Rally Bar Mini, andRoomMate, visit our website at logitech.com/vc.CONTACTTo report a security concern regarding Logitech products,visit logitech.com/security.For other inquiries, visit logitech.com/contact.In addition, incidents are recorded and responded to asquickly as possible, and we expect those reporting incidentsto follow accepted practices for responsible disclosure.This whitepaper is provided for informational purposes only. Logitech makes no warranties, express or implied orstatutory as to the information in this whitepaper. This whitepaper is provided “as is” and may be updated byLogitech from time to time.Logitech Inc.7700 Gateway Blvd.Newark, CA 94560Published November 2020 2020 Logitech. Logitech, Logi and the Logitech logo are trademarks or registered trademarks of Logitech EuropeS.A. and/or its affiliates in the U.S. and other countries. All other trademarks are the properties of their respectiveowners. Logitech assumes no responsibility for any errors that may appear in this publication. Information containedherein is subject to change without notice.
privacy, and performance. In these areas, Android 10 is a significant improvement over previous versions of the Android operating system. These Logitech products have been developed using a secure development lifecycle that follows industry best practices during product design, development, and fielding.
