Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security

4/12/2019
10:54 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli
50%
50%

IoE: The Internet of Espionage

As employees live their lives across an increasingly IoT-enabled landscape (with devices often installed discreetly and with hidden functionalities), enterprise security is threatened by outside factors it cannot control.

The Internet of Things has been expanding exponentially over the years. Gartner predicts that within the next five years, there will be approximately 1.7 billion new devices per annum attaching to enterprise networks -- and, accordingly, that the number of endpoint devices that CIOs will be expected to manage will triple in that time. This in and of itself introduces enormous complexity to the security and integrity of enterprise IT environments.

IoT devices outside the organization, however, present a hidden yet no less serious threat. At home, while traveling, and on the job offsite, third parties have the capability to use IoT to spy on enterprise employees -- the things they say, the things they do, the things they look at, and even the things they type.

In some cases, this is already happening.

IoT spying at home Over the past several years, headlines have been rife with espionage-enabling vulnerabilities and exploits of smart cameras, smart appliances, smart thermostats, and even smart toys. More recent IoT controversies and snafus, however, have driven the point of the problem home.

On Wednesday, Bloomberg reported that -- instead of relying entirely on cold and distant algorithms when recording and "listening" to users of Alexa (the "smart assistant" embedded in Amazon's smart speaker, the Amazon Echo) -- Amazon "employs thousands" of living, breathing humans to listen to, transcribe, analyze, and annotate what Alexa hears.

To be sure, with machine learning in its infancy, a certain amount of direct human intervention is to be expected when it comes to maintaining and improving voice-activated IoT devices. At the same time, the recordings are hardly unidentifiable. While full names are not directly shared, Bloomberg reports that Alexa-recording reviewers can match specific recordings with the user's first name, account number, and device serial number.

Conversely, Google and Apple claim that recordings of users of their respective smart assistants are stripped of personally identifiable information -- although researchers across various disciplines and contexts have found ways of re-identifying "anonymized" data.

Google still has its own smart-assistant controversies. On February 4, the tech behemoth released an update to its "smart" home-security device, Nest, to enable smart-assistant functionality in pre-existing/pre-installed devices. The problem was that nobody outside of Google previously knew that Nest devices came equipped with a microphone -- a fact that Google conveniently "forgot" to mention.

Meanwhile, the IoT smart-home sector (variously estimated to be a $44-billion to $54-billion industry) represents a potential data-leakage threat even when what passes for full disclosure is present. Localytics, a mobile-engagement firm, calls the smart-home industry the "mother lode for mobile marketers" thanks to voluminous data generated by IoT smart-home devices themselves and additional data generated via apps and mobile devices used to manage and control IoT devices -- giving third parties access to nearly everything done and discussed in a person's sanctuary.

Personal privacy concerns aside, the upshot for the enterprise is that employees working or talking about work at home with Nest or other devices may have no idea who is watching or hearing information related to proprietary work product.

IoT spying on the road
This is a variation of what is known as the "evil maid" threat. The scenario commonly presents as a maid or other worker -- having access to the employee's quarters (whether a home or a hotel room) -- steals sensitive data, often by stealing or compromising an endpoint device. Here, however, the threat is less visible; through IoT devices that users or bystanders may not even be aware of, a hacker, a rogue employee, or even a bad-actor first-party or third-party company is potentially free to leverage any enterprise data that happens to be observed.

Away from home, too, devices are watching, listening, and tracking around the world. Last month, South Korean law enforcement busted a spycam ring that allegedly secretly recorded guests across 30 motels nationwide. More lawfully (but still disturbingly), since 2017, in-flight entertainment systems on airplanes have increasingly included cameras designed to watch passengers in turn, Orwellian style. The airlines have allegedly all but pinky-sworn to never use the cameras, but according to tech professionals, they appear ready to be enabled at any time by airlines and third parties (authorized or not) alike.

"We keep on hearing about all kinds of devices increasingly containing microphones or cameras, [and instances where IoT] devices are not apparent," Katell Thielemann, a Gartner analyst, told Security Now. "The best approach is not to allow any such device in hotel rooms or office environments -- and remove or unplug them if there are -- and to keep sensitive conversations [within] areas that can at least be visually inspected for lack of connected devices."

Related posts:

—Joe Stanganelli is managing director at research and consulting firm Blackwood King LC. In addition to being an attorney and consultant, he has spent several years analyzing and writing about business and technology trends. Follow him on Twitter at @JoeStanganelli.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.