One of my monthly Privacy Professor Tips readers recently sent me a question
about some unusual coincidences. It seems that information that he and
his wife discussed at home, or activities they did on their home
computers, would then be brought up at his wife’s work office by her
coworkers, and they would discuss those same topics, or make
out-of-the-blue comments to his wife at her office about those topics in
the days following the conversations at home. He suspected they were
being spied on somehow, but wasn’t sure how it was being done. He asked
me to describe some of the possible ways.
With what may be the majority of office workers throughout the world
now working from home, cybercrooks and business competition are actively
exploiting the vulnerabilities that are present in most home offices.
This series of blog posts focus on fours ways in which digital spies
enter home office areas, and some information security and privacy
protections you can put in place to shut the holes in the digital
pathways created into your organization through working from home office
areas. Part 1 provides an overview of digital spies coming through IOT
devices.
Anything you do on a “smart” Internet of Things (IOT)
device can potentially be captured by a cyber attacker. Any type of IOT
device is a potential pathway into your home. Just a few of the many
types of popular in-home smart devices include:
-
Smart personal assistants. These are devices such as
Google Homes and Alexa Echos and Dots. Not only are these devices
vulnerable to hackers listening in on what goes on within homes, the
smart assistants also have been revealed to make recordings of what is going on in the vicinity of the devices, even when the trigger words were not used. These should not be used where business meetings and conversations take place.
-
Smart TVs. These have caused cybersecurity and
privacy concerns since shortly after they were introduced to the market.
Hackers, competitors and the employees, third parties of, and systems
used by the smart TV providers can not only control your unsecured TV in
many cases, but they may also stalk your movements in the vicinity, and
record meetings and conversations through integrated unsecured cameras and microphones. These should be not used where business meetings and conversations take place.
-
Smart security systems. Many incidents have occurred through home security systems such as Ring, Nest, and others.
These increasingly-used IOT devices provide a pathway to view and
listen in on what is going on in the home. If a security camera is
watching and/or listening to the business meetings taking place in home
offices, this could result in corporate secrets being discovered,
intellectual property being stolen, or personal data of customers or
patients being breached, just to name a few.
-
Smart light bulbs. Yes, these are probably more widely used than you might imagine. They can also be used to communicate with, control, or steal data from, other IOT devices.
If remote workers want to use smart light bulbs, they should use bulbs
that require a smart home hub with data security and privacy controls
set to protect data and conversations in the home, and avoid those that
connect directly to other devices.
-
Smart toys. Many children’s toys are now smart, and
communicate directly with your child. However, these smart toys have
been discovered by researchers to have many privacy risks,
to store everything heard in the toy vendor’s cloud, and to share data
with third parties such as marketing and advertising agencies. Such
smart toys should not be within home offices.
Whether or not these, and a long list of other available, IOT
gadgets, become spies all depends on the security and privacy controls
in place. Do not assume devices come with security and privacy controls
in place by default; generally, they do not. If you have these in your
home, where you are now working from, make sure you implement layers of
security controls to keep spies from taking information about your
business. If you are responsible for data, cyber, network, applications,
and/or systems security at your organization, make sure your work from
home employees know how to keep their IOT devices from being spies or
malware delivery paths into your business.
Four basic security and privacy actions to take:
-
Keep IOT devices unplugged, or if this is not possible, turned all the way off, when not in use.
-
Set the IOT devices’ security settings to the strongest possible.
-
Incorporate IOT devices within your wi-fi network, behind the wi-fi
firewall, instead of implementing them to connect directly to IOT vendor
clouds or to other nearby IOT devices.
-
Do not put IOT devices in the rooms where business activities, conversations and meetings are being performed.
Know and follow your organization’s work from home security and privacy policies and procedures.
If you are responsible for your organization’s policies and
procedures, take other actions to ensure employee-owned, as well as
organization-owned, IOT devices are appropriately secured, as applicable
to your organization’s type of business. Make these actions part of the
work from home requirements in your employee work agreements, and
incorporate them into your organization’s information security and privacy work from home and mobile working policies and procedures.
Part 2 of this series will provide an overview of how cyber spies get into home and remote offices through device apps.
For more information, systems, applications and cyber security and privacy blog posts, click here.
