Slashdot Mirror

← Back to Stories (view on slashdot.org)

Always-Listening IoT Devices Raise Security Policy Questions For the Workplace (securityweek.com)

Posted by timothy on from the meet-your-new-conference-bridge dept.

wiredmikey writes: Rafal Los raises an interesting point about new Internet of Things (IoT) devices that may be coming into the office after Christmas, and the possible security risks associated. He uses an example of the Amazon Echo which is "always listening" and raises the question of how welcome it would be in an office where confidential and highly sensitive conversations are frequent. "How many things are showing up at the office this week that are an always-on conduit to your network from some external third party you really shouldn't be trusting? Watches, streaming media widgets, phones, tablets and a whole host of other things are likely making their way into the office right now. You probably have a BYOD policy, but do you have an IoT policy? BYOD policies are meant to address your mobile handsets, tablets and personal laptops, but who's addressing all the other gadgetry?"

23 of 152 comments (clear)

  1. Simple.... by bev_tech_rob · · Score: 4, Insightful

    You don't allow it.......

    --
    You're messin' with my Zen Thing, man.....
    1. Re:Simple.... by Anonymous Coward · · Score: 2, Insightful

      Good luck telling someone they can't wear a watch.

    2. Re:Simple.... by sociocapitalist · · Score: 3, Interesting

      You don't allow it.......

      Easy enough if it's trying to use the corporate network but what if it's listening to confidential conversations but using another route...via a mobile phone hotspot for example, that you have no control over ?

      --
      blindly antisocialist = antisocial
    3. Re:Simple.... by cfalcon · · Score: 2

      The concern isn't that. Many devices have speakers that can be activated remotely. Some can record RF in raw mode, or have other inputs. It's not just about the connection.

  2. They were too busy asking themselves if they could by 0xdeaddead · · Score: 3, Insightful

    And not asking if they should

  3. Always-Working culture is the real problem by Anonymous Coward · · Score: 2, Interesting

    Work in the workplace. Leave your toys at home. Go home to your toys. Get a life. Have a work/life balance.

  4. Re:I will personally rip it out if I see it by Lunix+Nutcase · · Score: 2, Funny

    Internet Tough Guy Status: Confirmed.

  5. Why are people accepting this? by gstoddart · · Score: 4, Insightful

    I don't get all of this, and frankly it's a little creepy.

    From Barbies which upload everything your child says to a server, to XBox units which send everything in your living to Microsoft, to whatever the hell an Amazon Echo is ... why the hell are people willing to accept something around them which is always listening, and always uploading everything you say to the internet?

    You want one of these things in your home, go right a head, that is your choice. But bringing shit like this into an office where it affects other people? That should be against a lot of corporate policies -- and in a lot of workplaces probably violates some legal requirements.

    I trust neither the competence, security practices, or behavior of these companies. They don't give a crap about you or your security, they care about monetization and analytics ... which means I assume anything written by Amazon like this is at least some fraction intended to line of the pockets of a corporation.

    You bring stuff like this into a workspace, and you should expect someone is going to be pretty pissed off that they're included in this without their consent.

    Keep your shiny baubles which violate your own privacy the hell home -- the workplace is NOT a place where everyone is willing to consent to the terms of service of Amazon just because some ass got a shiny toy for Christmas.

    --
    Lost at C:>. Found at C.
    1. Re:Why are people accepting this? by Simulant · · Score: 3, Insightful

      And then there's your cell phone....

    2. Re:Why are people accepting this? by houghi · · Score: 2

      Why, because they are told it is a good idea. Or at least they are not told that it is a bad idea.

      No matter how bad your idea is for whatever, it can be packaged in such a way that people will want it.

      DrunkXYZ, now with even more success in increasing your sugarlevels. Drink DrunkXYZ for the highest blood sugarlevels possible in nature. Packaging also increates the number of jobs in the waste industry. Almost no deterogation of the waste product with the advantage of not usable for a second time.

      --
      Don't fight for your country, if your country does not fight for you.
    3. Re:Why are people accepting this? by geekmux · · Score: 4, Insightful

      I don't get all of this, and frankly it's a little creepy.

      From Barbies which upload everything your child says to a server, to XBox units which send everything in your living to Microsoft, to whatever the hell an Amazon Echo is ... why the hell are people willing to accept something around them which is always listening, and always uploading everything you say to the internet?

      Because the price of privacy (which is unproven until someone sees the evidence in their own bank accounts) doesn't even hold a candle to the price of "convenience", and speaking to control a computer (only something we've fantasized about in movies for half a damn century now) is somehow infinitely better than actually having to lift fingers and depress a touch screen.

      You want one of these things in your home, go right a head, that is your choice. But bringing shit like this into an office where it affects other people? That should be against a lot of corporate policies -- and in a lot of workplaces probably violates some legal requirements.

      Feel free to convince said consumer that talking into their watch (or vice versa) is somehow affecting other people. Sure, I get it from a security standpoint, but the other 99% of society who doesn't get paid to think about such concerns doesn't give a shit about it, and therefore will not even acknowledge it to be a problem to solve.

      I trust neither the competence, security practices, or behavior of these companies. They don't give a crap about you or your security, they care about monetization and analytics ... which means I assume anything written by Amazon like this is at least some fraction intended to line of the pockets of a corporation.

      You bring stuff like this into a workspace, and you should expect someone is going to be pretty pissed off that they're included in this without their consent.

      Keep your shiny baubles which violate your own privacy the hell home -- the workplace is NOT a place where everyone is willing to consent to the terms of service of Amazon just because some ass got a shiny toy for Christmas.

      With always-on Internet connections in every employee pocket (cell phone), coupled with WiFi/Bluetooth/next-gen wireless tech, good luck "securing" the workplace. The primadonnas will speak loudly in their "defense".

      You've also got the industry to fight too. We tried to enforce a policy that prohibited any cellular device from merely having a camera, to include corporate-issued devices. That didn't even work with the hardware vendor for longer than about a year or two.

  6. don't buy it by Gravis+Zero · · Score: 3

    it's very simple, don't buy such devices and don't allow them near you. it's been trumpeted for years and idiots don't care. the real question is, when will security get the authority to override what some dumbass manager demands?

    --
    Anons need not reply. Questions end with a question mark.
  7. BYOD includes "IoT" by 110010001000 · · Score: 2

    Unless something changed in 2016, a thing like a Smartwatch or the Echo is still a "device" thus should be covered under the BYOD policy. The D means "Device".

  8. srsly? by drinkypoo · · Score: 2

    BYOD policies are meant to address your mobile handsets, tablets and personal laptops, but who's addressing all the other gadgetry?"

    Existing policies should prohibit attaching new devices to the network or computer without permission from the IT department, which is the only policy you need. Anyone who installs these always-listening devices where sensitive information is communicated deserves exactly what they get.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:srsly? by sociocapitalist · · Score: 2

      BYOD policies are meant to address your mobile handsets, tablets and personal laptops, but who's addressing all the other gadgetry?"

      Existing policies should prohibit attaching new devices to the network or computer without permission from the IT department, which is the only policy you need. Anyone who installs these always-listening devices where sensitive information is communicated deserves exactly what they get.

      How many managers / lawyers / whatever have iphones (for example) that have or will have an 'always on' component like Siri that doesn't even need the corporate network to be able to connect back to the manufacturer cloud ?

      These people have other jobs and are generally neither technical nor tech-security aware by default and thus just aren't going to consider whether their phone is leaking confidential client/lawyer conversations (or whatever) to apple, for example.

      The article is quite validly pointing out that companies security policies and user security sensitization/education need to be upgraded to take such things into account.

      --
      blindly antisocialist = antisocial
  9. Re:Internet of things by drinkypoo · · Score: 2

    I keep hearing this concept repeated like a tocsin by "internet experts" (that I've never heard of) but seriously, who is going to buy this crap?

    1) you're not going to have a choice because everything else will fall off the market and 2) the masses of asses who don't think beyond "ooh, shiny". They are clearly in the majority, just look around.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  10. Re:Internet of things by vikingpower · · Score: 2

    Is there any actual, normal person out there even faintly interested in this crap?

    Yes, there is. Marketing at Amazon. They're coming for you, too, bro.

    --
    Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
  11. Re:Internet of things by Gojira+Shipi-Taro · · Score: 2

    Sorry, I actually enjoy being able to control things in my apartment by voice. That's actual, real functionality to me. You may not agree, but I don't think you represent as much of the target market for these devices as you believe yourself to. It's like "why pay an extra $30 for a HD monitor? 480 P is just fine. I can't see the difference". Your dismissal of such functionality is a bit silly. "I don't need voice commands" is one thing. "I don't like that so I don't think it offers functionality to anyone at all" is myopic.

    That said, I can't imagine bringing something like an Echo into the office. I don't even want to issue voice commands to my computer or watch in that environment. That is a head scratcher.

    --
    "Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
  12. I'm a Unix admin by dfn5 · · Score: 4, Funny

    I don't talk to people

    --
    -- Thou hast strayed far from the path of the Avatar.
  13. BYOD Only network by The-Ixian · · Score: 4, Informative

    We have a byod wifi network for any non-approved wireless devices.

    The network is completely separate from the LAN and normal WIFI network and is subject to some bandwidth throttling.

    A user can plug in a device to the network, but I do monitor the DHCP logs. This hasn't been a real problem since we gave the users a sandbox to play in though.

    --
    My eyes reflect the stars and a smile lights up my face.
    1. Re:BYOD Only network by Anonymous Coward · · Score: 2, Interesting

      So you've supplied them the bandwidth needed to upload your HR conversations?

    2. Re:BYOD Only network by The-Ixian · · Score: 2

      Well, here's the deal. The office space is small enough (2 floors of a downtown skyscraper) that I regularly see most of it. I am pretty connected with what users are doing.

      Sometimes the solution is not so much technical and is more on the social side.

      The answer to your question is: Yes. If an HR or Accounting (or any) person in the office decided to attach a wireless device that listens, it would have an available connection to the Internet (assuming it used port 80 or 443).

      BUT, I would be aware of it pretty quickly. We are not the police. We are the IT department. We don't set or enforce policy for users. After talking to them about the potential risks, it would be up to their group leader or the operations committee to tell them they can't do it. We would, of course inform that decision, but unless the device is causing a disruption, we generally let users do what they want in that byod space.

      --
      My eyes reflect the stars and a smile lights up my face.
  14. Google searches by cliffjumper222 · · Score: 2

    I always thought there would be a mine of information based on a company's searches too. Engineer is reading a spec and googles an acronym, finance google a company they are planning to merge with, HR google potential candidates, R&D google research terms, etc. Not too much of an issue if you have no other interaction with google, but if your company competes with google or otherwise has a business relationship with them, then it may be a good idea not to google anything!