The Spies Who Eavesdrop on Your Work from Home: Part 1 – IOT

By Rebecca Herold

Last updated: May 5, 2020

One of my monthly Privacy Professor Tips readers recently sent me a question about some unusual coincidences. It seems that information that he and his wife discussed at home, or activities they did on their home computers, would then be brought up at his wife’s work office by her coworkers, and they would discuss those same topics, or make out-of-the-blue comments to his wife at her office about those topics in the days following the conversations at home. He suspected they were being spied on somehow, but wasn’t sure how it was being done. He asked me to describe some of the possible ways.

With what may be the majority of office workers throughout the world now working from home, cybercrooks and business competition are actively exploiting the vulnerabilities that are present in most home offices. This series of blog posts focus on fours ways in which digital spies enter home office areas, and some information security and privacy protections you can put in place to shut the holes in the digital pathways created into your organization through working from home office areas. Part 1 provides an overview of digital spies coming through IOT devices.

Spies get into your home through your IOT devices

Anything you do on a “smart” Internet of Things (IOT) device can potentially be captured by a cyber attacker. Any type of IOT device is a potential pathway into your home. Just a few of the many types of popular in-home smart devices include:

  • Smart personal assistants. These are devices such as Google Homes and Alexa Echos and Dots. Not only are these devices vulnerable to hackers listening in on what goes on within homes, the smart assistants also have been revealed to make recordings of what is going on in the vicinity of the devices, even when the trigger words were not used. These should not be used where business meetings and conversations take place.

  • Smart TVs. These have caused cybersecurity and privacy concerns since shortly after they were introduced to the market. Hackers, competitors and the employees, third parties of, and systems used by the smart TV providers can not only control your unsecured TV in many cases, but they may also stalk your movements in the vicinity, and record meetings and conversations through integrated unsecured cameras and microphones. These should be not used where business meetings and conversations take place.

  • Smart security systems. Many incidents have occurred through home security systems such as Ring, Nest, and others. These increasingly-used IOT devices provide a pathway to view and listen in on what is going on in the home. If a security camera is watching and/or listening to the business meetings taking place in home offices, this could result in corporate secrets being discovered, intellectual property being stolen, or personal data of customers or patients being breached, just to name a few.

  • Smart light bulbs. Yes, these are probably more widely used than you might imagine. They can also be used to communicate with, control, or steal data from, other IOT devices. If remote workers want to use smart light bulbs, they should use bulbs that require a smart home hub with data security and privacy controls set to protect data and conversations in the home, and avoid those that connect directly to other devices.

  • Smart toys. Many children’s toys are now smart, and communicate directly with your child. However, these smart toys have been discovered by researchers to have many privacy risks, to store everything heard in the toy vendor’s cloud, and to share data with third parties such as marketing and advertising agencies. Such smart toys should not be within home offices.

Whether or not these, and a long list of other available, IOT gadgets, become spies all depends on the security and privacy controls in place. Do not assume devices come with security and privacy controls in place by default; generally, they do not. If you have these in your home, where you are now working from, make sure you implement layers of security controls to keep spies from taking information about your business. If you are responsible for data, cyber, network, applications, and/or systems security at your organization, make sure your work from home employees know how to keep their IOT devices from being spies or malware delivery paths into your business.

Four basic security and privacy actions to take:

  • Keep IOT devices unplugged, or if this is not possible, turned all the way off, when not in use.

  • Set the IOT devices’ security settings to the strongest possible.

  • Incorporate IOT devices within your wi-fi network, behind the wi-fi firewall, instead of implementing them to connect directly to IOT vendor clouds or to other nearby IOT devices.

  • Do not put IOT devices in the rooms where business activities, conversations and meetings are being performed.

Know and follow your organization’s work from home security and privacy policies and procedures.

If you are responsible for your organization’s policies and procedures, take other actions to ensure employee-owned, as well as organization-owned, IOT devices are appropriately secured, as applicable to your organization’s type of business. Make these actions part of the work from home requirements in your employee work agreements, and incorporate them into your organization’s information security and privacy work from home and mobile working policies and procedures.

The next blog post in this series

Part 2 of this series will provide an overview of how cyber spies get into home and remote offices through device apps.

For more information, systems, applications and cyber security and privacy blog posts, click here.