Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Businesses Privacy Security

Always-Listening IoT Devices Raise Security Policy Questions For the Workplace (securityweek.com) 152

wiredmikey writes: Rafal Los raises an interesting point about new Internet of Things (IoT) devices that may be coming into the office after Christmas, and the possible security risks associated. He uses an example of the Amazon Echo which is "always listening" and raises the question of how welcome it would be in an office where confidential and highly sensitive conversations are frequent. "How many things are showing up at the office this week that are an always-on conduit to your network from some external third party you really shouldn't be trusting? Watches, streaming media widgets, phones, tablets and a whole host of other things are likely making their way into the office right now. You probably have a BYOD policy, but do you have an IoT policy? BYOD policies are meant to address your mobile handsets, tablets and personal laptops, but who's addressing all the other gadgetry?"
This discussion has been archived. No new comments can be posted.

Always-Listening IoT Devices Raise Security Policy Questions For the Workplace

Comments Filter:
  • Simple.... (Score:5, Insightful)

    by bev_tech_rob ( 313485 ) on Thursday January 07, 2016 @09:59AM (#51255041)

    You don't allow it.......

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Good luck telling someone they can't wear a watch.

      • More like, Good luck getting the average company to secure their physical network beyond backing it up or issuing updates.
      • by cfalcon ( 779563 )

        I can't wear my smartwatch all places where I work. I put it right on top of my cellphone in the cellphone cubby. It's in the policy, if it has blue tooth it can't go certain places.

    • Re:Simple.... (Score:4, Interesting)

      by sociocapitalist ( 2471722 ) on Thursday January 07, 2016 @11:15AM (#51255553)

      You don't allow it.......

      Easy enough if it's trying to use the corporate network but what if it's listening to confidential conversations but using another route...via a mobile phone hotspot for example, that you have no control over ?

    • You don't allow it.......

      Then I'll wear two. Then you'll threaten to get me fired. Then I'll wear three. Then, after numerous iterations on this, we'll realize that this cat is out of the bag, it isn't going back in, and the people offering these devices will have to be held responsible for the damages their products cause.

      That said, a friend of mine informed me that his company still doesn't allow wifi. In 2015. Our IT started prohibiting that in 2002, and we started installing our own wifi, and they qui

    • If by 'you don't allow it', you mean 'reject the so-called Internet-of-Things', then I agree with you wholeheartedly. It's an out-of-control joke so far as I'm concerned. Are there a few devices that benefit from being capable of control over a TCP/IP network? Yes. Should every damn electronic (or electric) device on the planet need that sort of connectivity? I say "hell, no!". As we all can see, it's more security holes for potential attackers to use. It's a first-world-problem that marketing people are cr
  • by 0xdeaddead ( 797696 ) on Thursday January 07, 2016 @10:01AM (#51255057) Homepage Journal

    And not asking if they should

    • by Etcetera ( 14711 )

      And not asking if they should

      Sadly, this quote basically sums up a lot of current-generation Silicon Valley thinking.

  • by Anonymous Coward

    Work in the workplace. Leave your toys at home. Go home to your toys. Get a life. Have a work/life balance.

    • by Anonymous Coward

      Take your communism elsewhere.

    • Have a work/life balance.

      Insanity. Telling my IT to eat a dick might at worst get me yelled at by my boss, maybe if I were already on his shit-list. Otherwise he'd probably tell me I shouldn't do that, and I'd list a number of other things I shouldn't do, and we'll reach an impasse.

      Having work/life balance will actually get me fired. I mean...laid off.

    • by cfalcon ( 779563 )

      While leaving the "toys" at the door is a viable solution, the fact is that being able to use the net IS work. When I'm in an area without access to, for instance, my phone, I have a hard as SHIT time looking stuff up. Between blocked websites ("hacking" red flag, for instance) and an inability to save state and documents effectively, the phone is a huge help- it stands in for a bookshelf at minimum.

      The issue isn't "toys" versus "non toys". The issue is, my TOOLS have problems.

    • That was the plan when smart phones were new. "Don't bring your phone to the office", a simple plan and the only ones complaining were hipsters. A year later all the IT groups were scrambling to figure out how to coexist peacefully with smart phones.

  • by gstoddart ( 321705 ) on Thursday January 07, 2016 @10:09AM (#51255119) Homepage

    I don't get all of this, and frankly it's a little creepy.

    From Barbies which upload everything your child says to a server, to XBox units which send everything in your living to Microsoft, to whatever the hell an Amazon Echo is ... why the hell are people willing to accept something around them which is always listening, and always uploading everything you say to the internet?

    You want one of these things in your home, go right a head, that is your choice. But bringing shit like this into an office where it affects other people? That should be against a lot of corporate policies -- and in a lot of workplaces probably violates some legal requirements.

    I trust neither the competence, security practices, or behavior of these companies. They don't give a crap about you or your security, they care about monetization and analytics ... which means I assume anything written by Amazon like this is at least some fraction intended to line of the pockets of a corporation.

    You bring stuff like this into a workspace, and you should expect someone is going to be pretty pissed off that they're included in this without their consent.

    Keep your shiny baubles which violate your own privacy the hell home -- the workplace is NOT a place where everyone is willing to consent to the terms of service of Amazon just because some ass got a shiny toy for Christmas.

    • by Simulant ( 528590 ) on Thursday January 07, 2016 @10:18AM (#51255179) Journal
      And then there's your cell phone....
      • by Anonymous Coward

        And then there's Maude.

    • Mod parent up "insightful".

    • by Anonymous Coward

      keep raging against it, doesn't matter
      eventually these sorts of things will be pervasive, leaving you only to cry into your yogurt

    • by Anonymous Coward

      You want one of these things in your home, go right a head, that is your choice.

      As long as you don't have visitors, or inform them about the device and warn them not to say anything that might be considered to be private, or always remember to turn it off. I've seen people who otherwise behave intelligently dump stuff about me on facebook or twitter without asking permission or even understanding that they should when I object, so I'm not too optimistic about where this might be going.

    • Agreed. IoT is a security hazard enough at home... but the workplace? No thanks. I can't even begin to think how many rules, regulations, policies, even laws, some IoT devices would break. To boot, the devices may not work with WPA-enterprise, so would need their own SSID, and if the devices had their own cellular connection, that can break even more rules.

      Nope... there are enough security issues already. I think policies will be quickly updated to cover IoT stuff soon.

    • by houghi ( 78078 )

      Why, because they are told it is a good idea. Or at least they are not told that it is a bad idea.

      No matter how bad your idea is for whatever, it can be packaged in such a way that people will want it.

      DrunkXYZ, now with even more success in increasing your sugarlevels. Drink DrunkXYZ for the highest blood sugarlevels possible in nature. Packaging also increates the number of jobs in the waste industry. Almost no deterogation of the waste product with the advantage of not usable for a second time.

    • I don't get all of this, and frankly it's a little creepy.

      From Barbies which upload everything your child says to a server, to XBox units which send everything in your living to Microsoft, to whatever the hell an Amazon Echo is ... why the hell are people willing to accept something around them which is always listening, and always uploading everything you say to the internet?

      Unfortunately the current voice recognition technology is not good/fast enough to run on low powered devices like barbies or even smart phones so companies have found a neat trick that uploads the audio clip to the cloud, have heavy duty cloud servers do the translation and then send the reply back to the device. We need major advances in voice recognition, battery life, mobile processor speed, or some other area to get around this. The other possibility is to not use voice recognition and/or pass laws re

    • by geekmux ( 1040042 ) on Thursday January 07, 2016 @01:38PM (#51256587)

      I don't get all of this, and frankly it's a little creepy.

      From Barbies which upload everything your child says to a server, to XBox units which send everything in your living to Microsoft, to whatever the hell an Amazon Echo is ... why the hell are people willing to accept something around them which is always listening, and always uploading everything you say to the internet?

      Because the price of privacy (which is unproven until someone sees the evidence in their own bank accounts) doesn't even hold a candle to the price of "convenience", and speaking to control a computer (only something we've fantasized about in movies for half a damn century now) is somehow infinitely better than actually having to lift fingers and depress a touch screen.

      You want one of these things in your home, go right a head, that is your choice. But bringing shit like this into an office where it affects other people? That should be against a lot of corporate policies -- and in a lot of workplaces probably violates some legal requirements.

      Feel free to convince said consumer that talking into their watch (or vice versa) is somehow affecting other people. Sure, I get it from a security standpoint, but the other 99% of society who doesn't get paid to think about such concerns doesn't give a shit about it, and therefore will not even acknowledge it to be a problem to solve.

      I trust neither the competence, security practices, or behavior of these companies. They don't give a crap about you or your security, they care about monetization and analytics ... which means I assume anything written by Amazon like this is at least some fraction intended to line of the pockets of a corporation.

      You bring stuff like this into a workspace, and you should expect someone is going to be pretty pissed off that they're included in this without their consent.

      Keep your shiny baubles which violate your own privacy the hell home -- the workplace is NOT a place where everyone is willing to consent to the terms of service of Amazon just because some ass got a shiny toy for Christmas.

      With always-on Internet connections in every employee pocket (cell phone), coupled with WiFi/Bluetooth/next-gen wireless tech, good luck "securing" the workplace. The primadonnas will speak loudly in their "defense".

      You've also got the industry to fight too. We tried to enforce a policy that prohibited any cellular device from merely having a camera, to include corporate-issued devices. That didn't even work with the hardware vendor for longer than about a year or two.

      • by Toshito ( 452851 )

        and speaking to control a computer (only something we've fantasized about in movies for half a damn century now) is somehow infinitely better than actually having to lift fingers and depress a touch screen.

        That's your opinion, from my point of view it's the total opposite. Voice control outside of my home is a total no-no for me. I hate speaking to people, what makes you think that I would like to speak to a thing?

        In fact I also despise touch screens, give me real physical buttons, keyboards, knobs and sliders, without any lag, and I'll be very happy.

        I'm so tired of all the lag that is creeping everywhere. It seems like things are becoming slower, not faster. There's always lag on every button press, when you

  • by Gravis Zero ( 934156 ) on Thursday January 07, 2016 @10:15AM (#51255169)

    it's very simple, don't buy such devices and don't allow them near you. it's been trumpeted for years and idiots don't care. the real question is, when will security get the authority to override what some dumbass manager demands?

  • Unless something changed in 2016, a thing like a Smartwatch or the Echo is still a "device" thus should be covered under the BYOD policy. The D means "Device".
    • Nuh uh! It's a "thing"! "Things" and "devices" are compltely different!

  • by drinkypoo ( 153816 ) <martin.espinoza@gmail.com> on Thursday January 07, 2016 @10:24AM (#51255203) Homepage Journal

    BYOD policies are meant to address your mobile handsets, tablets and personal laptops, but who's addressing all the other gadgetry?"

    Existing policies should prohibit attaching new devices to the network or computer without permission from the IT department, which is the only policy you need. Anyone who installs these always-listening devices where sensitive information is communicated deserves exactly what they get.

    • by Anonymous Coward

      And many workplaces have a fairly open "guest WiFi" which would be easy to attach the Echo to. Sure the Echo won't be able to get on the company network and infect the servers, but it can still transmit confidential conversations.

      Having said that -- I suspect phones with malware would be a much greater threat for espionage than an Echo which will encrypt the data it hears and send it to Amazon where it will simply get lost in the flood of other information other Echos are sending to Amazon. A phone with m

    • BYOD policies are meant to address your mobile handsets, tablets and personal laptops, but who's addressing all the other gadgetry?"

      Existing policies should prohibit attaching new devices to the network or computer without permission from the IT department, which is the only policy you need. Anyone who installs these always-listening devices where sensitive information is communicated deserves exactly what they get.

      How many managers / lawyers / whatever have iphones (for example) that have or will have an 'always on' component like Siri that doesn't even need the corporate network to be able to connect back to the manufacturer cloud ?

      These people have other jobs and are generally neither technical nor tech-security aware by default and thus just aren't going to consider whether their phone is leaking confidential client/lawyer conversations (or whatever) to apple, for example.

      The article is quite validly pointing out

    • Existing policies should prohibit attaching new devices to the network or computer without permission from the IT department, which is the only policy you need. Anyone who installs these always-listening devices where sensitive information is communicated deserves exactly what they get.

      That covers "I want to connect X to our company network." What about the situation where the user is using their private cell phone connection? Suppose I had a smartwatch that connected via my mobile hotspot, constantly rec

  • If someone is waving a talking gadget around in the workplace then maybe you can do something about getting it removed. What about their smart nose stud or some other thing that does not look like a threat? The only way would be airport-style security on your office door and I suspect nobody wants the expense or inconvenience.
  • I keep hearing this concept repeated like a tocsin by "internet experts" (that I've never heard of) but seriously, who is going to buy this crap? Who really wants their coffeemaker or refrigerator attached to the internet at all, much less be willing to pay one cent more to add what amounts to zero functionality but additional points of failure and additional ability for corporate America to grab some other details about our personal lives?

    Is there any actual, normal person out there even faintly intereste

    • I keep hearing this concept repeated like a tocsin by "internet experts" (that I've never heard of) but seriously, who is going to buy this crap?

      1) you're not going to have a choice because everything else will fall off the market and 2) the masses of asses who don't think beyond "ooh, shiny". They are clearly in the majority, just look around.

      • by tsqr ( 808554 )

        1) you're not going to have a choice because everything else will fall off the market and 2) the masses of asses who don't think beyond "ooh, shiny". They are clearly in the majority, just look around.

        It's not just the masses of asses who don't think beyond "ooh, shiny", unless you define everyone who buys this crap as an ass. I have a close friend with a PhD in CS and an MS in psychology, who has everything in his house from his garage door to his thermostat to his ceiling fan (!) networked and internet accessible. Another friend who is extremely cautious - bordering on paranoid - about revealing any personal information on the internet, has an Amazon Echo sitting on his bar. Still scratching my head ov

        • It's not just the masses of asses who don't think beyond "ooh, shiny", unless you define everyone who buys this crap as an ass.

          Can't I?

          Another friend who is extremely cautious - bordering on paranoid - about revealing any personal information on the internet, has an Amazon Echo sitting on his bar. Still scratching my head over that one.

          Ooh, shiny!

          To be fair, I own an Android phone. It's running AOSP and I have voice turned off, but there's a certain amount of trust involved even so. Who can say what level of paranoia is justified?

          • by tsqr ( 808554 )

            It's not just the masses of asses who don't think beyond "ooh, shiny", unless you define everyone who buys this crap as an ass.

            Can't I?

            Well yeah, as long as you're not looking for a lot of buy-in. Of course, you can always dismiss anyone who disagrees as being part of the mass of asses. Sort of an interesting variation on "no true Scotsman".

            Another friend who is extremely cautious - bordering on paranoid - about revealing any personal information on the internet, has an Amazon Echo sitting on his bar. Still scratching my head over that one.

            Ooh, shiny!

            Well, that's what has me scratching my head. This guy is definitely not the "Ooh, shiny!" type at all.

            To be fair, I own an Android phone. It's running AOSP and I have voice turned off, but there's a certain amount of trust involved even so. Who can say what level of paranoia is justified?

            To the true paranoid, there is no level of paranoia that isn't justified.

      • by mbone ( 558574 )

        the masses of asses who don't think beyond "ooh, shiny". They are clearly in the majority, just look around.

        That may be true, but just who do you think configures their networks and sets up their devices?

    • Is there any actual, normal person out there even faintly interested in this crap?

      Yes, there is. Marketing at Amazon. They're coming for you, too, bro.

      • by mbone ( 558574 )

        Is there any actual, normal person out there even faintly interested in this crap?

        Yes, there is. Marketing at Amazon. They're coming for you, too, bro.

        You have an interesting definition of normal, and for that matter, of actual.

    • Sorry, I actually enjoy being able to control things in my apartment by voice. That's actual, real functionality to me. You may not agree, but I don't think you represent as much of the target market for these devices as you believe yourself to. It's like "why pay an extra $30 for a HD monitor? 480 P is just fine. I can't see the difference". Your dismissal of such functionality is a bit silly. "I don't need voice commands" is one thing. "I don't like that so I don't think it offers functionality to anyon

      • Voice control of things in your apartment doesn't need Internet access to work. We have had voice control since the 1990s.
        • by Etcetera ( 14711 )

          Voice control of things in your apartment doesn't need Internet access to work. We have had voice control since the 1990s.

          One of the things I'm happy Apple (and to some extent Google) has begun to offer is offline voice recognition, recognizing that not all of us want our voice recordings sent to the cloud for further processing.

          I'm happy people have set up giant neural network voice recognition systems for interpreting what people are saying, using a bazillion cores in a data center, but what I really want is for the algorithm to be implemented local to my house.

        • Except those things usually don't have enough horsepower to do the work themselves, so they send it all back to a central thing which does the work and sends back results.

          Which means, as currently deployed, these things mostly do require internet connections ... and that's kind of the problem. You end up with machines which might be constantly sending everything around them to the mothership, which stands a good chance of being misused and exploited in ways we'd prefer it not be.

          Essentially you bug your ho

      • No one is saying Voice Control is useless. We take great exception ot the fact that as implemented, it almost always requires submitting your data to another party to analyze. What is myopic is that you think the functionality of voice control is worth the price of having everything you say recorded and stored. Give me OFFLINE voice control, and ill eat it up. Give me a NEST thermostat that ONLY talks to me, and ill buy it. etc.
    • by HiThere ( 15173 )

      Read anything about the new large screen TVs?

      FWIW, in 2 years things won't bother to advertise that they communicate over the internet. You won't find out until you read the documentation after you buy it. And they'll either be wireless, or they won't work right without an internet connection.

  • by Anonymous Coward

    Back in 1999 the NSA banned Furbies as they felt they might pick up on National Secrets and repeat them.
    http://io9.gizmodo.com/the-nsa-once-banned-furbies-as-a-threat-to-national-sec-1526908210

  • Any work wifi network should be secured with WPA2ENT using id/pw or certificates for access to the wifi LAN. I seriously doubt these devices will have support for anything more than PSK or the auto-configure 'thing' that consumer routers are coming with now.

    Seriously.... what kind of IT would let that happen?

  • by dfn5 ( 524972 ) on Thursday January 07, 2016 @10:41AM (#51255311) Journal
    I don't talk to people
    • by Anonymous Coward

      I'm a network admin. I don't talk to people either, but I do listen to everything they're saying. ;)

      • by Anonymous Coward

        Are You now considered an IoT Always-on Device?

    • by antdude ( 79039 )

      But you just did on /.!

  • BYOD Only network (Score:5, Informative)

    by The-Ixian ( 168184 ) on Thursday January 07, 2016 @11:01AM (#51255451)

    We have a byod wifi network for any non-approved wireless devices.

    The network is completely separate from the LAN and normal WIFI network and is subject to some bandwidth throttling.

    A user can plug in a device to the network, but I do monitor the DHCP logs. This hasn't been a real problem since we gave the users a sandbox to play in though.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      So you've supplied them the bandwidth needed to upload your HR conversations?

      • Well, here's the deal. The office space is small enough (2 floors of a downtown skyscraper) that I regularly see most of it. I am pretty connected with what users are doing.

        Sometimes the solution is not so much technical and is more on the social side.

        The answer to your question is: Yes. If an HR or Accounting (or any) person in the office decided to attach a wireless device that listens, it would have an available connection to the Internet (assuming it used port 80 or 443).

        BUT, I would be aware of it pret

        • "We are the IT department. We don't set or enforce policy for users."

          You are supposed to be the network police. Management has gutted your autonomy and authority. Sounds like you are more of a Help Desk than an actual IT dept.
      • It's trivial for just about the least technical person to record conversations with their phone. I don't think there is really a way to stop people from doing this if they want to.
  • Plenty of places don't allow smartwatches, cellphones, or anything with radio. This will become more common as everything magically needs an internet connection to give even basic functionality.

    Why is "record audio, broadcast to mothership" a basic design tenet of all the new voice things? This has a very real cost in privacy, security, bandwidth, and reliability.

    Most things can trivially turn off their voice addon. But once that gets better, will some Design Jackass come in and say "voice is just superi

  • I'm glad y'all are discussing this, but it's obvious too many don't actually understand the problem. Google's latest Android OS update as well as the new iOS both have "always listening" functionality. They listen for their trigger word, but they're always listening. What's worse is that some of these things have their own Internet connectivity (cellular data) and don't need your permission. Putting them on a "separate guest network" accomplishes next to nothing since it's not only their network presence b
  • I did a PC refresh job at a Fortune 500 company where the engineers were allowed to hang on to their old workstation for a week before turning them in for decommissioning and recycling. Most found clever excuses to keep them indefinitely, as having more processing power was a status symbol. Not all the cubicles had multiple network ports that were open. So the engineers brought in old network switches from home. That's when the real fun started. They didn't realize that their network switch also had a DHCP
    • That's when the real fun started. They didn't realize that their network switch also had a DHCP server with private network addresses that cut every workstation on the segment off from the corporate network and the Internet. A network technician spent a day tracking them all down..

      LOL, I've seen similar.

      Years ago a manager couldn't get more network drops in his office, so he brought in a little router for himself.

      In another entire office, but part of the corporate network, his collision with 192.168.*.* cau

  • If anything, that would make things easier. You could just block them. No, IoT will bring their own network. We've talked a lot about internet-enabled TVs spying on their users, and the reflex is always the same: Don't give your TV internet access and you're good. No, you are not good. The TV will soon come with its own network builtin, where you can't just unplug it or pull the Wifi stick or refuse to give it the WPA key. If you don't give it access to your Wifi, then it will talk to the neighbors' TVs and

  • Not.

    Don't try bring any of this junk in a SCIF.

    • Not.

      Don't try bring any of this junk in a SCIF.

      Junk?

      Wonder how well this stance is going to work out as SCIF-riddled businesses fight with both security policy and medical discrimination when those Bluetooth-enabled pacemakers start becoming all the rage amongst obese greybeards in support...

  • by cliffjumper222 ( 229876 ) on Thursday January 07, 2016 @12:15PM (#51255993)

    I always thought there would be a mine of information based on a company's searches too. Engineer is reading a spec and googles an acronym, finance google a company they are planning to merge with, HR google potential candidates, R&D google research terms, etc. Not too much of an issue if you have no other interaction with google, but if your company competes with google or otherwise has a business relationship with them, then it may be a good idea not to google anything!

  • Our workplace is simple. Wired (fast, secure) network is for work. Wireless network (throttled, less secure) is for everything else. It's pretty simple and it works.
  • You probably have a BYOD policy,

    Yes. It's DONT.

    If you do bring it, don't plug it into the network.

    If it doesn't have an ethernet socket and needs a wifi connection, you need to contact IT with it's MAC address and your written authorisation from your line manager instructing IT to provide you with connectivity. The IT will probably tell you or your manager to fuck off.

"The lesser of two evils -- is evil." -- Seymour (Sy) Leon

Working...