Devices and interconnected systems are finding a foothold not only in our homes but in mainstream organizations. Here are three tips to mitigate the risk.

David Lindner, Chief Information Security Officer

March 25, 2015

3 Min Read

It’s a Monday morning and time to go into the office and kick off the week. But before leaving the house, I need to write an executive summary for a client report that’s due by 8:00 a.m. I pull out my Livescribe 3 pen to write, which automatically synchs to my iPhone 6, plus allows me to email the summary to my CEO. Once the email is launched, I open the OnStar application on my iPhone and start my vehicle remotely so that it’s nice and toasty once I’ve braved a 10-degree jaunt to the car.

Inside the car, I pop my Jawbone ERA Bluetooth headset into my ear for a hands-free option while I take calls on my drive into the office. My CEO calls as I back out of the garage asking for a meeting to discuss my email. After hanging up, I ask Siri to set up the meeting. When I get to the office, I use Apple Pay on my iPhone to pay for parking. I get to my desk, open my MacBook Pro with the Knock iPhone application without typing in a password.

How many different, interconnected mobile devices are mentioned in that short anecdote? Devices and interconnected systems are finding a foothold not only in our homes but mainstream organizations. Apple TV, LiveScribe 3, and others are being used and connected to other devices or systems that connect directly to our locked down corporate infrastructures. Unfortunately, meeting the issues posed by complex networks overwhelms people. As such, scant attention is being paid to the security of the devices we are using in business. Given that these devices are inherently insecure, we have a problem, Houston!

Getting started
Recently, a financial organization asked me to test Apple’s AirPlay service: the sales team wanted to stream their presentations from their corporate-managed iPads. This organization did the right thing by first assessing the risk instead of rushing out to implement something new and shiny.

The goal of the project was to quickly connect to any Wi-Fi access point from the AppleTV and iPad, and then show the content on a customer, or potential customer’s overhead projectors. Think about all of the implications: a managed device, with sensitive data, streaming to an unmanaged device, on an untrusted network. This scenario presents so many unknowns, even before the security posture of Apple TV and AirPlay is assessed. Plus, there is no way to specifically disable AirPlay. The only way to dis-allow AirPlay is to block the iPad from connecting to ad-hoc access points completely, which would defeat the iPad’s purpose entirely.

This scenario is rapidly becoming commonplace as unknown devices slowly infiltrate our personal and business lives through known and unknown mechanisms. As security professionals, it’s our job to develop policies and procedures that vet and lock down any IoT device that is used inside our organizations. But where to begin? Here are my three recommendations:

  1. Pick three to five IoT devices that may help your organization provide better service to your customers, employees, and business partners (i.e., AppleTV, LiveScribe 3, etc.). 

  2. Perform a security verification of the devices. This undertaking should include testing relevant security control areas such as: Sensitive Data Protection (at rest, in use, and in transit), Authentication (both user and device), Authorization, Accountability, and Cryptography. If you have the know-how to do this internally, GREAT. If not, look to third-party consulting organizations that have expertise in assessing the security of IoT and Mobile devices. 

  3. Design specific policies and procedures around when and how the IoT devices should and can be used. When appropriate, work with the device vendors to provide a more secure, business secured firmware, software, or hardware for future implementations of their device.

Just like with mobility, IoT technology is creating a new class of bring-your-own devices within the corporate infrastructure. The IoT movement will only increase -- and at a staggering pace that may surpass that of mobile. As a business, we should acknowledge and embrace IoT device usage but also understand and mitigate risk where we can.

About the Author(s)

David Lindner

Chief Information Security Officer, Contrast Security

David Lindner is an experienced application security professional with over 20 years in cybersecurity. In addition to serving as the chief information security officer, David leads the Contrast Labs team that is focused on analyzing threat intelligence to help enterprise clients develop more proactive approaches to their application security programs. Throughout his career, David has worked within multiple disciplines in the security field — from application development, to network architecture design and support, to IT security and consulting, to security training, to application security. Over the past decade, David has specialized in all things related to mobile applications and securing them. He has worked with many clients across industry sectors, including financial, government, automobile, healthcare, and retail. David is an active participant in numerous bug bounty programs.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights