SECURE

/ Security Architecture /

ARMOR

[ zero trust by design ]

Your lobby screen is an attack surface.
We eliminated it.

Digital signage runs on public-facing screens in your most sensitive environments — government buildings, airports, banks, military bases. A compromised screen isn't just embarrassing. It's a breach.

What if your screens got hacked?

Pornography on airport departure boards. Ransomware on hospital wayfinding. Political messages on government lobby displays. These are not hypothetical — they happen regularly on systems built with consumer-grade operating systems.

SpinetiX was engineered from day one so this can never happen.

Before the security architecture, the first question is whether the system is genuinely mission-critical media infrastructure — or commercial signage sold with a mission-critical invoice. Get that classification wrong and no defense layer matters.

[ defense in depth ]

Five Layers of Protection

Security is not a feature we added. It's the architecture itself — from silicon to cloud. Each layer is independently hardened. Compromise one, and the others hold.

01 Hardware

Signed Firmware, Sealed Hardware

Every SpinetiX player — iBX440, iBX410, HMP400 — runs exclusively SpinetiX-signed firmware. Unsigned code will not install. TPM and Intel TPP secure cloud enrollment. No USB drivers, no third-party apps, no exceptions.

02 Operating System

DSOS — Purpose-Built, Zero Bloat

DSOS™ is built on Yocto Linux, stripped to the bare minimum. No user-controlled processes. No pipes. No shell access. The OS cannot be changed, replaced, or extended. It does one thing — render content — and it does it with zero attack surface.

03 Network

802.1X, HTTPS-Only, Minimal Ports

IEEE 802.1X port-based authentication. HTTPS enforced by default since firmware 4.3.0. SNMP v2c read-only and disabled by default. Only essential ports open: TCP 80/443 for management, TCP 81/9802 for publishing. Not affected by Heartbleed.

04 Cloud

ISO 27001 · GDPR · BSI C5

Arya Cloud is certified ISO/IEC 27001:2013, GDPR compliant, and BSI C5 attested. Multi-tenant, multi-role, encrypted at rest and in transit. SpinetiX HUB — winner of ISE 2026 Best Digital Signage Platform — acts as the secure cloud connector, with regional data storage for full compliance. CEO Francesco Ziliani: "ISO 27001 is not a checkbox — it's how we continuously refine our security processes."

05 On-Premises

100% Inside Your Network

For strict government and enterprise environments, the entire stack runs on-premises using Elementi software. Zero data leaves your corporate network. Full air-gap capability. No cloud dependency. Your data, your building, your control. See our deployment options.

DSOS

[ operating system ]

"Security is not an add-on.
We are secure by design."

What DSOS Does

Built on Yocto Linux — stripped to the absolute minimum
All firmware cryptographically signed by SpinetiX
Unsigned firmware will not install — period
TPM implemented 7 years before Windows 11 required it
Unique DSOS identity per player for secure cloud enrollment
UEFI Secure Boot on all current-gen hardware
Smart building integration — AMX, Crestron, Q-SYS interoperability with near real-time IoT data feeds
Data without people — automated data-driven content means no human can make a mistake on public screens

What DSOS Prevents

No user-controlled processes — no shell, no pipes
No third-party apps or drivers can be installed
No consumer-grade OS attack surface
No USB driver injection — only HID protocol
OS cannot be changed, replaced, or extended
Disk partitions are cryptographically signed

SpinetiX publishes security advisories and CVE-detailed release notes for every firmware update.

[ vulnerability track record ]

Threat Immunity Scorecard

When the world panics over zero-day exploits, SpinetiX customers sleep well. DSOS's minimal architecture means most global vulnerabilities simply don't apply.

Vulnerability CVE SpinetiX Status

Copy Fail CVE-2026-31431 Not exploitable

Dirty Frag CVE-2026-43284 Not affected

Fragnesia CVE-2026-46300 Not affected

Log4j CVE-2021-44228 Not affected

Dirty Pipe CVE-2022-0847 Not affected

Heartbleed CVE-2014-0160 Not affected

Meltdown / Spectre CVE-2017-5754 Not affected

May 2026 update — three Linux kernel disclosures, zero exposure. CVE-2026-31431 (Copy Fail) — patched kernel ships in the next minor DSOS firmware release across affected models (all DSOS hardware except HMP3xx and DiVA, which were never affected); not exploitable in practice because no remote-execution path exists on the player, and neither JavaScript engine in DSOS — V8 inside the HTML renderer (CEF) nor the engine in the SVG renderer — can reach the AF_ALG kernel API. The cryptographic primitives DSOS uses don't route through the kernel crypto API either. CVE-2026-43284 (Dirty Frag) — the vulnerable kernel modules are not compiled into DSOS. CVE-2026-46300 (Fragnesia) — the vulnerable IPsec and RxRPC modules (esp4, esp6, rxrpc, ipcomp4, ipcomp6) are not compiled into DSOS either. The SpinetiX cloud runs serverless on AWS; AWS confirmed its infrastructure is unaffected by Fragnesia for the same reason. Cross-verified with SpinetiX engineering against the deployed estate. Full impact analysis →

0.4% Failure rate over 10 years

6W Power per 4K multi-layer player

4 Hardware generations in 18 years

Q/Q Quarterly security patches

[ your local security partner ]

We Speak Cybersecurity
at Your Table

Media La Vista provides Tier 1, Tier 2, and Tier 3 support locally in the Middle East. Local engineers respond within 10 minutes.

Our CEO holds a Digital Transformation Officer credential and has been with SpinetiX for 20 years — from the founding days. We can explain our security architecture to any cybersecurity team, at any depth. Invite us for a technical talk — we'll bring the evidence.

Discuss Security Architecture SpinetiX Trust Center →

115 Use Cases · FAQ · Partner Ecosystem · About Us

ISO 27001
Certified Cloud

10-Minute
Response Time

100% On-Prem
Capable

Tier 1–3
Local Support

[ security faq ]

Common Security Questions

Direct answers. No marketing.

Is SpinetiX affected by Log4j, Heartbleed, or Dirty Pipe?

No. DSOS is built on Yocto Linux stripped to bare minimum — no Java runtime, no OpenSSL heartbeat extension, no pipe primitives. SpinetiX publishes CVE-detailed security advisories for every firmware release.

What about the May 2026 Linux kernel disclosures — Copy Fail (CVE-2026-31431), Dirty Frag (CVE-2026-43284), and Fragnesia (CVE-2026-46300)?

None is exploitable on a properly-deployed DSOS fleet. CVE-2026-31431 (Copy Fail) is a local privilege escalation in the AF_ALG kernel API; DSOS exposes no shell, no SSH, no interactive login, and no path through which a remote actor can load and execute native code, so the local-execution precondition the exploit requires is structurally absent. Internal Linux service UIDs and Control Center auth credentials exist, but none of them maps to a remote-execution surface. Both JavaScript engines on the device — V8 inside the HTML renderer (Chromium Embedded Framework) and the JavaScript engine in the SVG renderer where Elementi project JS runs — are unable to reach AF_ALG, and the cryptographic primitives DSOS uses do not route through the kernel crypto API. The patched kernel ships in the next minor DSOS firmware release across affected models (all DSOS hardware except HMP3xx and DiVA, which were never affected). CVE-2026-43284 (Dirty Frag) is in kernel modules SpinetiX does not compile into DSOS — the vulnerable code is simply not present on the device. CVE-2026-46300 (Fragnesia) is in the IPsec and RxRPC modules (esp4, esp6, rxrpc, ipcomp4, ipcomp6) — also not compiled into DSOS. The SpinetiX cloud (Arya, HUB, Control Center cloud) runs serverless on AWS with the video-conversion platform on SpinetiX-managed EC2; AWS confirmed via security bulletins AWS-2026-029 / AWS-2026-030 that its infrastructure is also unaffected by Fragnesia, for the same architectural reason. Media La Vista tracks every kernel CVE with potential reach into the deployed estate; impact analysis is cross-verified with SpinetiX engineering. See the full write-up at /cybersecurity-is-a-discipline-not-a-feature/.

Can someone install malware on a SpinetiX player?

No. DSOS only executes SpinetiX-signed firmware. Unsigned code will not install. There are no USB drivers (only HID), no shell access, no user-controlled processes. The OS cannot be changed, replaced, or extended.

Does SpinetiX work without internet (air-gapped)?

Yes. The entire stack — Elementi software + SpinetiX players — runs 100% on-premises inside your corporate network. Zero data leaves your building. Full air-gap capability for defense, government, and classified environments.

What security certifications does SpinetiX have?

Arya Cloud is certified ISO/IEC 27001:2013, GDPR compliant, and BSI C5 attested. Hardware uses TPM 2.0 and UEFI Secure Boot. All firmware is cryptographically signed. HTTPS enforced by default since firmware 4.3.0.

How does SpinetiX compare to Android or Windows digital signage?

Android and Windows players inherit thousands of CVEs from their consumer-grade OS. SpinetiX DSOS is purpose-built for signage only — no app store, no browser, no attack surface. 0.4% failure rate over 10 years vs. typical 15–30% on consumer platforms.