The Internet of Things (IoT) now enters into almost every area of our daily lives. With quirky devices like wireless water bottles, digital pet feeders, and even internet-connected sexual aids, these stealthy, networked computerised devices often record new types of data we may not actually want to share. And if you thought smartphone growth was beyond crazy, just wait. Connected IoT devices are already set to outpace mobiles and projected to reach 75bn devices by 2025, according to forecasts from Statista. That’s almost 10 (9.92, to be exact) IoT devices for each person on the planet.
The average security of many IoT devices, meanwhile, is shockingly remiss. Tens of billions of new computing devices that record many aspects of our personal and professional existences, all built upon establishing the cheapest route to market. This mix of ingredients leaves security by the wayside – an outcome not missed by the cyber threat hordes. Nor is it a fact that should go unnoticed by business leaders, as their organisations start to accommodate these myriad devices in one form or another.
It’s true that the IoT security issue has received much attention, but most concerns concentrate on consumer devices or issues applicable to specialised industries. Market-watchers tend to focus on these quirky and novel devices, or they highlight headline vulnerabilities found in life-supportive medical devices or critical energy and utility equipment.
However, just because you do not use a wireless sous vide cooker at work doesn’t mean that your work environment is not home to a range of stealthy – and potentially risky – IoT endpoints. In short, while c-suite-level chief officers can be mindful of mainstream IoT cyber security, several connected appliances – in the form of connected office equipment and even connected domestic appliances now found in offices – are now being routinely installed in our places of employment.
IoT cyber security concerns
A quick reminder of why you should have a concern about IoT in the first place is helpful. At security/hacker conferences, IoT security – or rather IoT insecurity – proves a major theme. Hacker talks about automotive consoles, industrial control systems, medical implants, wearable wireless police cameras, and even a popular portable gaming console, featured prominently in the events’ conference programmes. The most appalling common theme was just how easy it was for security researchers to find these IoT security flaws. IoT vendors seem to be making the same secure coding and design mistakes that mainstream enterprise IT solutions providers were prone to 20 years ago.
While not all IoT devices suffer these problems, the general security issues above seem to repeat more often than not. All these problems are ones that traditional computer and software manufacturers are aware of and have mostly been mitigated over time. That said, it has taken decades for the traditional mainstream computer industry to clean-up its act. Seeing all these old errors reappear in IoT devices is a bit disheartening, to say the least.
You may not hear about workplace IoT as often as you do about consumer IoT, but there are many new devices that show up in offices and some of these devices have the same types of security issues as other IoT devices. Concerningly, these products are being installed at the heart of the physical enterprise, connected to company networks, but without being subject to oversight by the IT function. Here are some general categories of office IoT equipment enterprise governance should watch out for.
Collaboration screen security vulnerabilities
Smart TVs, collaboration screens, digital whiteboards, and high-end high-definition smart TVs are being installed in many office environments, often to replace existent projector screens. In offices that value high-tech collaboration, you also will see more application-specific interactive touch screens or digital whiteboards. These collaboration devices come with styluses and touch capabilities that allow project teams to sketch diagrams and take notes, while offering networked decision-support features that allow users to screenshare their activity remotely, or seamlessly upload works-in-progress to a cloud storage service.
Though these devices offer great ways to collaborate and communicate with local or remote employees, they do potentially expose brand new vulnerabilities. Many of these devices – including smart TVs – use standard operating systems (OSs) such as Google Android. When configured poorly, these devices can expose organisations to the same security issues seen in other Android devices. These screens often serve various network services, which can expose their own vulnerabilities. Some even allow you to load standard Android applications from untrusted sources – which could lead to malware infections.
As they tend to be linked to local networks to access internal shares, any breach of these smart screens exposes the internal network to attackers. In brief, these digital collaboration screens may not look like computers, but they expose networks to typical computer flaws (if unprotected).
It’s becoming common for the enterprise to have employees and business partners distributed around the world. To support such a model, businesses adopt remote presence technology in their meeting rooms. This includes all the types of things that allow ‘webinar-like’ remote meetings, including digital audio (a.k.a. VoIP – Voice-over-IP), high-definition room cameras, microphones, speakers, wireless screensharing services and meeting management servers.
Advanced meeting rooms even have a tablet screen on the table that helps meeting participants control and connect to all this whizzy technology. While these meeting devices often seem like purpose-specific technology, manufactured to do one thing, most of them are just typical computers running standard operating systems. Like the screens, many of these meeting tablets just use the Android or Linux computer operating systems, and are configured to boot to one program in a kiosk mode. Even some of the network cameras used for conferencing or security are Linux-operated devices.
Because these devices do not look like a typical computer, it might mistakenly be thought that they are ‘benign’; chances are they might expose some normal network services you aren’t aware of.
State-of-the-art food and beverage vending machines that connect to Wi-Fi and accept Apple Pay, are now common to many office buildings. One so-called ‘smart’ water dispenser allows employees to select flavoured water from a cool-looking touch screen.
However, savvy employees figured-out a way to force that machine’s screens to exit the default app, finding its normal Android OS. The machine was connected to a Wi-Fi network, which exposed this unexpected Android device to the network. By adding an Internet connection, offices can save money on machine maintenance.
If these machines use cellular technology to connect back to vendors, they probably do not expose your workplace to any issues. However, when they take advantage of your Wi-Fi, any security vulnerability that affects the machine, could also get leveraged to expose your normal network too. And remember that the Wi-Fi could be the target of an attack – resulting in a denial of service that brings down wireless connectivity across the premises.
Up close and personal
Office desks are getting Wi-Fi connected. Trendy, standing desks tout health benefits to employees who sit too much. Rather than cranking a handle, people want the cool automated ones, with motors that raise and lower the desk to the preferred height. So far, you would not think these desks could expose any risk. However, some companies came up with the idea to combine fitness tracker-like features with the automated smart desk, along the lines of ‘What if your desk could track and catalogue how much you stand or sit, to monitor your fitness goals?’
Anyway, these types of smart desks surely exist, and can use Wi-Fi to transmit those standing and sitting statistics to the cloud or an app. To have Wi-Fi and the Internet means the desk has a built-in processor running some software, which of course means that the computer could expose new vulnerabilities. Many traditional types of computer devices were technically ‘IoT’ long before the term existed.
Printers are a prime example. Networked printers have exposed network vulnerabilities since the 1990s. As they’ve been around for decades, some may not think of them in the same category as other IoT devices – but they are. Printers, scanners and network accessible storage devices can all expose vulnerabilities. That said, vendors that make things like printers seem to follow better security practices, probably because they’re more mature at creating network devices, having already been in this market for decades.
The office IoT devices we need to worry about are the new ones that don’t really look like computers, so tend to escape notice and enter the workplace under the ‘radar’ of the IT function because they are procured by other departments, such as facilities or office supplies, or even a third-party office management company. However, it’s necessary to realise many of these devices are just stealthy networked computers that often expose the same issues traditional computers have exposed in the past.
To make matters worse, some of the companies making these new devices are also new to networking and information security. They try to create highly saleable low-cost devices, which tends to mean they don’t spend much time – or money – on security.
Finally, give all due consideration to the fact that the very definition of the ‘workplace’ is shifting – often quite literally. Many of us now treat our cars as annexes to our fixed workplaces. Most new cars roll off their assembly lines with Bluetooth hands-free calling, GPS navigation and Wi-Fi all built-in. The problem is that as our connected vehicles become de facto workplaces and, perforce, part of the IoT, any attempts to compromise automotive cyber security will prove disruptive to our business operations.
It’s saddening to conclude that cyber attacks so far directed on driverless and connected cars have been possible due to all-too-familiar vulnerabilities. Wireless connections to the entertainment system, for instance, can expose car control system vulnerabilities to hackers, while another entry point has even been the Bluetooth air pressure sensor in tyres. Researchers – for instance, Charlie Miller and Chris Valasek – have repeatedly demonstrated how these types of flaws enable them to remotely connect to a car and take-over driving controls, such as steering and brakes.
Corey Nachreiner is Chief Technology Officer at WatchGuard Technologies – watchguard.com.