Twitter: @SecurityMonahan
As we continue to expand the footprint of smart devices placed in our homes and offices, privacy and security risks also increase. No one ever thinks about engaging IT security in the decision to buy a new television for the executive briefing center, a new refrigerator or coffee pot for the break room, a building automation system or a new IP-enabled surveillance system. Why would they?
The reasons are far more pressing than they used to be. Due to the nature of these newly connected “SMART” devices, they can directly invade our privacy through the misuse of inherent design features. Indirectly, they can exploit flaws in the design or by the device itself.
The negative privacy effects of a surveillance camera being hacked are pretty obvious. However, those and other connected devices provide additional safety and business concerns if they are compromised. The refrigerator not only has cameras that can be misused but in addition, its computing power and persistence in a relatively unprotected part of a network make it more easily compromised by attackers to be used for an ongoing attack device/platform. Any of the smart appliances can be used for a number of nefarious purposes, including as a beachhead for access into the more sensitive parts of the environment, data aggregation and exfiltration, and even as a part of a Distributed Denial of Service (DDoS) botnet. Beyond that, the current generation of SMART TVs with voice recognition can be used as continual surveillance devices if compromised and/or misconfigured. Unless the owner disables the feature, they are always “listening” for commands. If they are compromised, the attacker can record any and all conversations in the room.
Building automation management systems and IP-enabled security systems present a further problem. Not only are they susceptible to any of the previously identified issues; they also have the capability to manipulate the corporate environment. This creates something of a James Bond scenario where an attacker can change the access or environmental characteristics to encourage people to evacuate an area, access an area without proper credentials, or potentially cause damage to data center systems by manipulating heating/cooling controls or sensors.
Lastly, all of these devices are little computers running applications. Most of these embedded computers and applications have no means of patching them, and the few that do will only be updated at delayed, random intervals because no one owns that responsibility. It is seen as very unimportant when placed next to other job priorities.
None of the new SMART devices are designed to accommodate an agent for monitoring, management, or their own protection; nor is there any indication that this will happen any time soon, mainly due to the economies involved with producing them. However, given all of the issues with privacy and security that come from creating a more connected world, it would seem to be more important to figure out how to know if these devices are on IT’s network. Since IT and IT security will not be in the loop for their purchase, IT security should put itself in the loop for discovering and identifying the devices as they arrive. Gaining visibility to them is no longer an option; it is an increasingly important requirement. After visibility, controlling how these devices are accessible and what they can access is also increasing in importance. After all, who wants to be the one that has to admit their data was stolen by their refrigerator?
