In a provocative invidis/Sixteen:Nine op-ed, Screenly Co-Founder Viktor Petersson exposes a critical blind spot in digital signage security: the illusion of safety created by compliance badges like SOC 2 and ISO 27001.
Certifications: The Dark Secret Behind So-Called Digital Signage Security
While the SOC 2 and ISO 27001 certifications do improve general IT hygiene—mandating disaster recovery plans, MFA, and device management—they often exclude the very hardware that powers digital signage networks. Viktor Petersson warns that outdated, vulnerable operating systems on signage players can still pass compliance audits, leaving organizations exposed despite the appearance of security.
He recounts firsthand experiences where vendors proudly launched new products built on end-of-life versions of Android, with no realistic path to security patching. These devices, often running unsupported software, are not covered by compliance frameworks and can become easy targets for attackers. Petersson argues that relying on customers to manually update devices is irresponsible, and that vendors must take ownership through OTA updates and robust device management.
The real threat, he emphasizes, isn’t just public embarrassment from hacked screens—it’s the risk of compromised signage players serving as entry points into corporate networks. A recent DEF CON demonstration showed how attackers could pivot from a vulnerable signage device into broader infrastructure, underscoring the urgency of addressing these gaps.
Petersson sees hope in the EU’s upcoming Cyber Resilience Act, which is expected to mandate Software Bill of Materials (SBOMs) for transparency and vulnerability tracking. As IT departments take greater control of signage deployments, deeper scrutiny through tools like TPRM is becoming standard. If CRA delivers on its promise, it could finally close the compliance loophole and push the industry toward meaningful, verifiable security.
