Using mTLS and TPM for digital signage security

Engineering |
Using mTLS and TPM for digital signage security

We often see that security is an afterthought in the digital signage industry. At Screenly, security is front-and-center of everything we do. Learn more about our recent work on digital signage security and how we use mTLS with TPM to make our customers’ digital signs more secure than ever.

Why hardware security is important for digital signs

Digital signs are highly visible and out in public. These two features of digital signs present unique security concerns. Hardware is often physically exposed, and employees cannot monitor each digital sign around the clock.

Because digital signs are visible to the public, hackers can easily advertise successful hacking attempts. In some digital signage hacks, hackers display inappropriate images or even ransom notices. For the company that owns the digital sign, these hacks can cause significant reputational harm and damage to the company’s brand.

Additionally, hackers can exploit vulnerabilities in digital signs as a gateway into a company’s protected network. Using a weakly protected player as a springboard, they might go from there to access company databases. These databases may include user registration data, health data, and other personal identifiable information (PII). Data leaks often lead to a breakdown in company-customer trust, and, in some cases, data leaks can lead to expensive fines.

So, what are mTLS and TPM?

Mutual TLS, mTLS, is a mutual authentication protocol that is common in zero-trust security frameworks. mTLS uses private keys to ensure that users are who they say they are.

TPM stands for “trusted platform module” and is a dedicated hardware chip that can generate private and public keys. These keys can then be used with the mLTS protocol. The TPM chip protects the keys with an additional level of hardware-based, extra hardened security. Barring a flaw in the TPM chip, it’s not possible for hackers or anyone else to extract the keys. Since the keys are only stored on the TPM they become intrinsically associated with the device.

In short, the TPM provides a verifiable, secure digital identity that can’t be cloned or copied.

Setting up mTLS & TPM

While mTLS is a commonly used protocol and easy to implement, getting started with TPM is a bit more involved. Common HTTP frameworks and libraries do not know how to work with TPM out of the box, and there is no explicit solution on developer forums online.

For the client-side, our development team used the tpm2ss engine and wrote our own HTTP adapter. For mTLS itself, we use Google Certificate Authority to implement it.

To generate the tss key, we use the following command:

$ tpm2tss-genkey \
    -a ecdsa \
    key.tss

We generate the CSR when we register the screen using the following code. Please note that we omitted -subj as it contains our internal data.

$ openssl req \
    -engine tpm2tss \
    -new \
    -key key.tss \
    -keyform engine \
    -out client.csr

Successful registration will return an issued certificate to the client (Google Certificate Authority service is an issuer). Lastly, below is how to use the certificate with cURL:

$ curl \
    --engine tpm2tss \
    --key-type ENG \
    --cert our_issued_certificate.crt \
    --key key.tss \
    -v https://api.screenlyapp.com/api/v2/screens/playlist

Which Screenly digital signage players use mTLS and TPM?

Right now, we only use TPM for our Screenly Player Max digital signage player, which is built on x86 architecture. Accordingly, our Screenly Player Max is our most secure digital signage player, and we recommend the Screenly Player Max for most corporate deployments.

The standard Raspberry Pi-based Screenly Player does not use TPM. Using TPM with Raspberry Pi devices is possible, and our development team may work on this in future sprints.

Advice to developers that want to use mTLS and TPM

After our work with mTLS and TPM, we have some general words of advice to fellow developers. First, thoroughly test the entire scheme you plan to implement before rolling it out to devices. Another hour of testing can save you a dozen hours of reviewing mistakes post-implementation.

Secondly, ensure that your library and tools can work with mTLS and TPM. Otherwise, you may need to create many components from scratch.

Interested in getting started with Screenly?

Screenly provides developer-friendly digital signage software and hardware. With Screenly, you can display the content you want on your screens with our user-friendly interface, and you can develop custom solutions with our digital signage API.

Get started today for free with a 14-day trial. No credit card required.

Picture of Daniel Mountcastle
Daniel Mountcastle View Profile
Daniel runs content marketing at Screenly.

Recent Posts

Display your best content with Screenly digital signs.

Screenly is loaded with features to make digital signage management easy.

footer screen image
manage cookies