Always-Listening IoT Devices Raise Security Policy Questions For the Workplace (securityweek.com) 152
wiredmikey writes: Rafal Los raises an interesting point about new Internet of Things (IoT) devices that may be coming into the office after Christmas, and the possible security risks associated. He uses an example of the Amazon Echo which is "always listening" and raises the question of how welcome it would be in an office where confidential and highly sensitive conversations are frequent. "How many things are showing up at the office this week that are an always-on conduit to your network from some external third party you really shouldn't be trusting? Watches, streaming media widgets, phones, tablets and a whole host of other things are likely making their way into the office right now. You probably have a BYOD policy, but do you have an IoT policy? BYOD policies are meant to address your mobile handsets, tablets and personal laptops, but who's addressing all the other gadgetry?"
Simple.... (Score:5, Insightful)
You don't allow it.......
Re: (Score:2, Insightful)
Good luck telling someone they can't wear a watch.
Re: Simple.... (Score:1)
Re: (Score:2)
Re: (Score:2)
I can't wear my smartwatch all places where I work. I put it right on top of my cellphone in the cellphone cubby. It's in the policy, if it has blue tooth it can't go certain places.
Re: (Score:3)
The concern isn't that. Many devices have speakers that can be activated remotely. Some can record RF in raw mode, or have other inputs. It's not just about the connection.
Re: (Score:2)
Yeah, I'm in a right-to-work state and I tell my IT to eat dick at least once a month, or I did when I was still working for a company that didn't understand IT is a service, not the business. You can write all teh rules you want, you will not get compliance from most people.
Honestly the cat was out of the bag when people started carrying smartphones. Banning watches is just being nit picky about the forms of spying you want to forbid.
Re: (Score:2)
IT Security is a component of IT that exists to ensure you can continue operating the fucking business
Only a small portion of IT security is that, and that portion (if done right) has little to do with individual employees following nit-picky rules. Most IT security concerns have some manageable cost associated with ignoring them, and it's just a matter of cost of security vs risk of loss.
If you're an IT security guy, it's easy to mistake your job for "eliminate all IT security threats". But that's not your job. Your job is "manage all IT security threats". It's up to the business leaders to decide what
Re:Simple.... (Score:4, Interesting)
You don't allow it.......
Easy enough if it's trying to use the corporate network but what if it's listening to confidential conversations but using another route...via a mobile phone hotspot for example, that you have no control over ?
Re: (Score:2)
You don't allow it.......
Then I'll wear two. Then you'll threaten to get me fired. Then I'll wear three. Then, after numerous iterations on this, we'll realize that this cat is out of the bag, it isn't going back in, and the people offering these devices will have to be held responsible for the damages their products cause.
That said, a friend of mine informed me that his company still doesn't allow wifi. In 2015. Our IT started prohibiting that in 2002, and we started installing our own wifi, and they qui
Re: (Score:2)
That is the IT side of exactly how it works. Try to ban pot and some will smoke it and even more will ignore it, and even the policemen stop caring.
Re: (Score:2)
Re: (Score:2)
Obviously you have no clue of network security at your workplace and just allow people to plug in shit as they feel like it. You shall reap what you sow. There are a number of steps you can take to not let unauthorized devices on your company network.
Re: (Score:2)
Obviously you have no clue of network security at your workplace and just allow people to plug in shit as they feel like it. You shall reap what you sow. There are a number of steps you can take to not let unauthorized devices on your company network.
You're assuming that it's connecting over the workplace network. What's to prevent it from connecting over the mobile network or just waiting until it has a network connection later at a new location? Preventing network access doesn't prevent a device from snooping. The only way to prevent it would be to ban all smartphones, smartwatches, fitbits, digital cameras, and electronic devices in general and it's only going to get worse as more electronics are incorporated into everyday objects like shoes, purs
Re: (Score:2)
Isn't that what the article mentioned? Devices connecting to your INTERNAL network? Of course you cannot do anything about stuff connecting to 4G and outside WAPs.
From the article:
"Now is a great time to start to think about policy and procedure for the inevitable. As everything imaginable starts to ask for an IP address from your network, make sure you watch ingress and egress points and terminate encryption so you can properly inspect all traffic. What is your policy for things like the Amazon Echo, on
Re: (Score:2)
Isn't that what the article mentioned? Devices connecting to your INTERNAL network? Of course you cannot do anything about stuff connecting to 4G and outside WAPs.
Yes, it does mention the network in the actual article but both the summary and the article start out worrying about the "always listening" devices which no amount of encryption or inspecting is going to help if they are connecting by one of many other methods not controlled by the company. Not to mention if it's end to end encryption then even if it is on your network then you can't inspect it only block it.
Re: (Score:2)
If your cellphone can be remotely turned on while appearing off (true), can record video or audio with no external signs, and can broadcast it at that time or later, then it doesn't matter if it is on your network or not. This is a physical security problem.
Re: (Score:2)
Current doesn't exist without voltage being applied across the photosensor array, and the LED can easily be hard wired directly to the voltage signals that go to sensor. No voltage means that it is impossible to detect anything, and no LED light means no voltage is present. Any voltage high enough to get any information at
Re: (Score:2)
> Current doesn't exist without voltage being applied across the photosensor array, and the LED can easily be hard wired directly to the voltage signals that go to sensor.
Can be, but isn't. It's super hard to figure out which LEDs actually are hard indicators and which are not. As far as I can tell, they can ALL be goofed up such that they appear off but are actually on, with varying degrees of difficulty. The LED is just an indicator that you hope the device driver updates, but that is by no means gu
Re: (Score:2)
Re: (Score:2)
You're correct, but for the last ten years or so camera indicators have been wired the more complicated/expensive/nefarious way. It's almost enough to make you a little paranoid.
Re: (Score:2)
Re: (Score:2)
well the point is that you don't allow amazon echo into the office.
now windows 10 on the other hand.. that's a bit trickier policy if you have to develop windows apps in the office.
They were too busy asking themselves if they could (Score:4, Insightful)
And not asking if they should
Re: (Score:2)
And not asking if they should
Sadly, this quote basically sums up a lot of current-generation Silicon Valley thinking.
Always-Working culture is the real problem (Score:2, Interesting)
Work in the workplace. Leave your toys at home. Go home to your toys. Get a life. Have a work/life balance.
Re: (Score:1)
Take your communism elsewhere.
Re: (Score:2)
Have a work/life balance.
Insanity. Telling my IT to eat a dick might at worst get me yelled at by my boss, maybe if I were already on his shit-list. Otherwise he'd probably tell me I shouldn't do that, and I'd list a number of other things I shouldn't do, and we'll reach an impasse.
Having work/life balance will actually get me fired. I mean...laid off.
Re: (Score:2)
While leaving the "toys" at the door is a viable solution, the fact is that being able to use the net IS work. When I'm in an area without access to, for instance, my phone, I have a hard as SHIT time looking stuff up. Between blocked websites ("hacking" red flag, for instance) and an inability to save state and documents effectively, the phone is a huge help- it stands in for a bookshelf at minimum.
The issue isn't "toys" versus "non toys". The issue is, my TOOLS have problems.
Re: (Score:2)
That was the plan when smart phones were new. "Don't bring your phone to the office", a simple plan and the only ones complaining were hipsters. A year later all the IT groups were scrambling to figure out how to coexist peacefully with smart phones.
Why are people accepting this? (Score:5, Insightful)
I don't get all of this, and frankly it's a little creepy.
From Barbies which upload everything your child says to a server, to XBox units which send everything in your living to Microsoft, to whatever the hell an Amazon Echo is ... why the hell are people willing to accept something around them which is always listening, and always uploading everything you say to the internet?
You want one of these things in your home, go right a head, that is your choice. But bringing shit like this into an office where it affects other people? That should be against a lot of corporate policies -- and in a lot of workplaces probably violates some legal requirements.
I trust neither the competence, security practices, or behavior of these companies. They don't give a crap about you or your security, they care about monetization and analytics ... which means I assume anything written by Amazon like this is at least some fraction intended to line of the pockets of a corporation.
You bring stuff like this into a workspace, and you should expect someone is going to be pretty pissed off that they're included in this without their consent.
Keep your shiny baubles which violate your own privacy the hell home -- the workplace is NOT a place where everyone is willing to consent to the terms of service of Amazon just because some ass got a shiny toy for Christmas.
Re:Why are people accepting this? (Score:4, Insightful)
Re: (Score:1)
And then there's Maude.
Re: (Score:2)
Mod parent up "insightful".
Re: (Score:1)
keep raging against it, doesn't matter
eventually these sorts of things will be pervasive, leaving you only to cry into your yogurt
Re: (Score:1)
You want one of these things in your home, go right a head, that is your choice.
As long as you don't have visitors, or inform them about the device and warn them not to say anything that might be considered to be private, or always remember to turn it off. I've seen people who otherwise behave intelligently dump stuff about me on facebook or twitter without asking permission or even understanding that they should when I object, so I'm not too optimistic about where this might be going.
Re: (Score:1)
Agreed. IoT is a security hazard enough at home... but the workplace? No thanks. I can't even begin to think how many rules, regulations, policies, even laws, some IoT devices would break. To boot, the devices may not work with WPA-enterprise, so would need their own SSID, and if the devices had their own cellular connection, that can break even more rules.
Nope... there are enough security issues already. I think policies will be quickly updated to cover IoT stuff soon.
Re: (Score:3)
Re: (Score:2)
I don't get all of this, and frankly it's a little creepy.
From Barbies which upload everything your child says to a server, to XBox units which send everything in your living to Microsoft, to whatever the hell an Amazon Echo is ... why the hell are people willing to accept something around them which is always listening, and always uploading everything you say to the internet?
Unfortunately the current voice recognition technology is not good/fast enough to run on low powered devices like barbies or even smart phones so companies have found a neat trick that uploads the audio clip to the cloud, have heavy duty cloud servers do the translation and then send the reply back to the device. We need major advances in voice recognition, battery life, mobile processor speed, or some other area to get around this. The other possibility is to not use voice recognition and/or pass laws re
Re:Why are people accepting this? (Score:5, Insightful)
I don't get all of this, and frankly it's a little creepy.
From Barbies which upload everything your child says to a server, to XBox units which send everything in your living to Microsoft, to whatever the hell an Amazon Echo is ... why the hell are people willing to accept something around them which is always listening, and always uploading everything you say to the internet?
Because the price of privacy (which is unproven until someone sees the evidence in their own bank accounts) doesn't even hold a candle to the price of "convenience", and speaking to control a computer (only something we've fantasized about in movies for half a damn century now) is somehow infinitely better than actually having to lift fingers and depress a touch screen.
You want one of these things in your home, go right a head, that is your choice. But bringing shit like this into an office where it affects other people? That should be against a lot of corporate policies -- and in a lot of workplaces probably violates some legal requirements.
Feel free to convince said consumer that talking into their watch (or vice versa) is somehow affecting other people. Sure, I get it from a security standpoint, but the other 99% of society who doesn't get paid to think about such concerns doesn't give a shit about it, and therefore will not even acknowledge it to be a problem to solve.
I trust neither the competence, security practices, or behavior of these companies. They don't give a crap about you or your security, they care about monetization and analytics ... which means I assume anything written by Amazon like this is at least some fraction intended to line of the pockets of a corporation.
You bring stuff like this into a workspace, and you should expect someone is going to be pretty pissed off that they're included in this without their consent.
Keep your shiny baubles which violate your own privacy the hell home -- the workplace is NOT a place where everyone is willing to consent to the terms of service of Amazon just because some ass got a shiny toy for Christmas.
With always-on Internet connections in every employee pocket (cell phone), coupled with WiFi/Bluetooth/next-gen wireless tech, good luck "securing" the workplace. The primadonnas will speak loudly in their "defense".
You've also got the industry to fight too. We tried to enforce a policy that prohibited any cellular device from merely having a camera, to include corporate-issued devices. That didn't even work with the hardware vendor for longer than about a year or two.
Re: (Score:2)
and speaking to control a computer (only something we've fantasized about in movies for half a damn century now) is somehow infinitely better than actually having to lift fingers and depress a touch screen.
That's your opinion, from my point of view it's the total opposite. Voice control outside of my home is a total no-no for me. I hate speaking to people, what makes you think that I would like to speak to a thing?
In fact I also despise touch screens, give me real physical buttons, keyboards, knobs and sliders, without any lag, and I'll be very happy.
I'm so tired of all the lag that is creeping everywhere. It seems like things are becoming slower, not faster. There's always lag on every button press, when you
Re: (Score:2)
No. You've probably already ignored the IoT-in-the-workplace case. Just *try* telling your boss to leave his phone at home.
don't buy it (Score:4)
it's very simple, don't buy such devices and don't allow them near you. it's been trumpeted for years and idiots don't care. the real question is, when will security get the authority to override what some dumbass manager demands?
BYOD includes "IoT" (Score:2)
Re: (Score:2)
Nuh uh! It's a "thing"! "Things" and "devices" are compltely different!
Re: (Score:1)
srsly? (Score:3)
BYOD policies are meant to address your mobile handsets, tablets and personal laptops, but who's addressing all the other gadgetry?"
Existing policies should prohibit attaching new devices to the network or computer without permission from the IT department, which is the only policy you need. Anyone who installs these always-listening devices where sensitive information is communicated deserves exactly what they get.
Re: (Score:1)
And many workplaces have a fairly open "guest WiFi" which would be easy to attach the Echo to. Sure the Echo won't be able to get on the company network and infect the servers, but it can still transmit confidential conversations.
Having said that -- I suspect phones with malware would be a much greater threat for espionage than an Echo which will encrypt the data it hears and send it to Amazon where it will simply get lost in the flood of other information other Echos are sending to Amazon. A phone with m
Re: (Score:3)
BYOD policies are meant to address your mobile handsets, tablets and personal laptops, but who's addressing all the other gadgetry?"
Existing policies should prohibit attaching new devices to the network or computer without permission from the IT department, which is the only policy you need. Anyone who installs these always-listening devices where sensitive information is communicated deserves exactly what they get.
How many managers / lawyers / whatever have iphones (for example) that have or will have an 'always on' component like Siri that doesn't even need the corporate network to be able to connect back to the manufacturer cloud ?
These people have other jobs and are generally neither technical nor tech-security aware by default and thus just aren't going to consider whether their phone is leaking confidential client/lawyer conversations (or whatever) to apple, for example.
The article is quite validly pointing out
Re: (Score:2)
That covers "I want to connect X to our company network." What about the situation where the user is using their private cell phone connection? Suppose I had a smartwatch that connected via my mobile hotspot, constantly rec
Maybe you won't even know (Score:1)
Internet of things (Score:2)
I keep hearing this concept repeated like a tocsin by "internet experts" (that I've never heard of) but seriously, who is going to buy this crap? Who really wants their coffeemaker or refrigerator attached to the internet at all, much less be willing to pay one cent more to add what amounts to zero functionality but additional points of failure and additional ability for corporate America to grab some other details about our personal lives?
Is there any actual, normal person out there even faintly intereste
Re: (Score:3)
I keep hearing this concept repeated like a tocsin by "internet experts" (that I've never heard of) but seriously, who is going to buy this crap?
1) you're not going to have a choice because everything else will fall off the market and 2) the masses of asses who don't think beyond "ooh, shiny". They are clearly in the majority, just look around.
Re: (Score:2)
1) you're not going to have a choice because everything else will fall off the market and 2) the masses of asses who don't think beyond "ooh, shiny". They are clearly in the majority, just look around.
It's not just the masses of asses who don't think beyond "ooh, shiny", unless you define everyone who buys this crap as an ass. I have a close friend with a PhD in CS and an MS in psychology, who has everything in his house from his garage door to his thermostat to his ceiling fan (!) networked and internet accessible. Another friend who is extremely cautious - bordering on paranoid - about revealing any personal information on the internet, has an Amazon Echo sitting on his bar. Still scratching my head ov
Re: (Score:2)
It's not just the masses of asses who don't think beyond "ooh, shiny", unless you define everyone who buys this crap as an ass.
Can't I?
Another friend who is extremely cautious - bordering on paranoid - about revealing any personal information on the internet, has an Amazon Echo sitting on his bar. Still scratching my head over that one.
Ooh, shiny!
To be fair, I own an Android phone. It's running AOSP and I have voice turned off, but there's a certain amount of trust involved even so. Who can say what level of paranoia is justified?
Re: (Score:2)
It's not just the masses of asses who don't think beyond "ooh, shiny", unless you define everyone who buys this crap as an ass.
Can't I?
Well yeah, as long as you're not looking for a lot of buy-in. Of course, you can always dismiss anyone who disagrees as being part of the mass of asses. Sort of an interesting variation on "no true Scotsman".
Another friend who is extremely cautious - bordering on paranoid - about revealing any personal information on the internet, has an Amazon Echo sitting on his bar. Still scratching my head over that one.
Ooh, shiny!
Well, that's what has me scratching my head. This guy is definitely not the "Ooh, shiny!" type at all.
To be fair, I own an Android phone. It's running AOSP and I have voice turned off, but there's a certain amount of trust involved even so. Who can say what level of paranoia is justified?
To the true paranoid, there is no level of paranoia that isn't justified.
Re: (Score:2)
the masses of asses who don't think beyond "ooh, shiny". They are clearly in the majority, just look around.
That may be true, but just who do you think configures their networks and sets up their devices?
Re: (Score:3)
Is there any actual, normal person out there even faintly interested in this crap?
Yes, there is. Marketing at Amazon. They're coming for you, too, bro.
Re: (Score:2)
Is there any actual, normal person out there even faintly interested in this crap?
Yes, there is. Marketing at Amazon. They're coming for you, too, bro.
You have an interesting definition of normal, and for that matter, of actual.
Re: (Score:2)
Switch on your irony sensor, please. If you can't, please make the next legal u-turn.
Re: (Score:3)
Sorry, I actually enjoy being able to control things in my apartment by voice. That's actual, real functionality to me. You may not agree, but I don't think you represent as much of the target market for these devices as you believe yourself to. It's like "why pay an extra $30 for a HD monitor? 480 P is just fine. I can't see the difference". Your dismissal of such functionality is a bit silly. "I don't need voice commands" is one thing. "I don't like that so I don't think it offers functionality to anyon
Re: (Score:1)
Re: (Score:2)
Voice control of things in your apartment doesn't need Internet access to work. We have had voice control since the 1990s.
One of the things I'm happy Apple (and to some extent Google) has begun to offer is offline voice recognition, recognizing that not all of us want our voice recordings sent to the cloud for further processing.
I'm happy people have set up giant neural network voice recognition systems for interpreting what people are saying, using a bazillion cores in a data center, but what I really want is for the algorithm to be implemented local to my house.
Re: (Score:2)
Except those things usually don't have enough horsepower to do the work themselves, so they send it all back to a central thing which does the work and sends back results.
Which means, as currently deployed, these things mostly do require internet connections ... and that's kind of the problem. You end up with machines which might be constantly sending everything around them to the mothership, which stands a good chance of being misused and exploited in ways we'd prefer it not be.
Essentially you bug your ho
Re: (Score:2)
Re: (Score:2)
Read anything about the new large screen TVs?
FWIW, in 2 years things won't bother to advertise that they communicate over the internet. You won't find out until you read the documentation after you buy it. And they'll either be wireless, or they won't work right without an internet connection.
Anyone remember Furbies? (Score:1)
Back in 1999 the NSA banned Furbies as they felt they might pick up on National Secrets and repeat them.
http://io9.gizmodo.com/the-nsa-once-banned-furbies-as-a-threat-to-national-sec-1526908210
Re: (Score:2)
OMiGawd...yes! How times have changed, eh.
Any work wifi... (Score:2)
Any work wifi network should be secured with WPA2ENT using id/pw or certificates for access to the wifi LAN. I seriously doubt these devices will have support for anything more than PSK or the auto-configure 'thing' that consumer routers are coming with now.
Seriously.... what kind of IT would let that happen?
I'm a Unix admin (Score:5, Funny)
Re: (Score:1)
I'm a network admin. I don't talk to people either, but I do listen to everything they're saying. ;)
Re: (Score:1)
Are You now considered an IoT Always-on Device?
Re: (Score:2)
But you just did on /.!
BYOD Only network (Score:5, Informative)
We have a byod wifi network for any non-approved wireless devices.
The network is completely separate from the LAN and normal WIFI network and is subject to some bandwidth throttling.
A user can plug in a device to the network, but I do monitor the DHCP logs. This hasn't been a real problem since we gave the users a sandbox to play in though.
Re: (Score:2, Interesting)
So you've supplied them the bandwidth needed to upload your HR conversations?
Re: (Score:3)
Well, here's the deal. The office space is small enough (2 floors of a downtown skyscraper) that I regularly see most of it. I am pretty connected with what users are doing.
Sometimes the solution is not so much technical and is more on the social side.
The answer to your question is: Yes. If an HR or Accounting (or any) person in the office decided to attach a wireless device that listens, it would have an available connection to the Internet (assuming it used port 80 or 443).
BUT, I would be aware of it pret
Re: (Score:2)
You are supposed to be the network police. Management has gutted your autonomy and authority. Sounds like you are more of a Help Desk than an actual IT dept.
Re: (Score:2)
How is this complex? (Score:2)
Plenty of places don't allow smartwatches, cellphones, or anything with radio. This will become more common as everything magically needs an internet connection to give even basic functionality.
Why is "record audio, broadcast to mothership" a basic design tenet of all the new voice things? This has a very real cost in privacy, security, bandwidth, and reliability.
Most things can trivially turn off their voice addon. But once that gets better, will some Design Jackass come in and say "voice is just superi
As the article author... (Score:1)
Seen this before... (Score:2)
Re: (Score:2)
LOL, I've seen similar.
Years ago a manager couldn't get more network drops in his office, so he brought in a little router for himself.
In another entire office, but part of the corporate network, his collision with 192.168.*.* cau
It's not network attachment that's problematic (Score:1)
If anything, that would make things easier. You could just block them. No, IoT will bring their own network. We've talked a lot about internet-enabled TVs spying on their users, and the reflex is always the same: Don't give your TV internet access and you're good. No, you are not good. The TV will soon come with its own network builtin, where you can't just unplug it or pull the Wifi stick or refuse to give it the WPA key. If you don't give it access to your Wifi, then it will talk to the neighbors' TVs and
How welcome? (Score:2)
Not.
Don't try bring any of this junk in a SCIF.
Re: (Score:2)
Not.
Don't try bring any of this junk in a SCIF.
Junk?
Wonder how well this stance is going to work out as SCIF-riddled businesses fight with both security policy and medical discrimination when those Bluetooth-enabled pacemakers start becoming all the rage amongst obese greybeards in support...
Google searches (Score:3)
I always thought there would be a mine of information based on a company's searches too. Engineer is reading a spec and googles an acronym, finance google a company they are planning to merge with, HR google potential candidates, R&D google research terms, etc. Not too much of an issue if you have no other interaction with google, but if your company competes with google or otherwise has a business relationship with them, then it may be a good idea not to google anything!
Wired vs Wireless (Score:2)
You probably have a BYOD policy, (Score:2)
Yes. It's DONT.
If you do bring it, don't plug it into the network.
If it doesn't have an ethernet socket and needs a wifi connection, you need to contact IT with it's MAC address and your written authorisation from your line manager instructing IT to provide you with connectivity. The IT will probably tell you or your manager to fuck off.
Re: (Score:1)
Re: (Score:3, Funny)
Internet Tough Guy Status: Confirmed.
Re: (Score:2)
Re: (Score:2)
Anywhere that cares about security will have a bunch of cubbyholes or lockers at the front door, and you'll be checking your personal electronics when you walk in.
From 2005 to 2010, I worked for a fed government contractor in a fed government facility, and that is precisely what we had.. Certain areas of the building were secure areas and ALL personal electronics were placed in those lockers when entering the secure area. Other areas you *could* carry your personal cellphone, so long as it didn't have a camera, otherwise you had to leave in your car. Before I left in 2010, it got so *secure* that you had to declare to the armed guards at the front gate as you drove i