The Internet of Things (IoT) has already proven itself to be a major trend in technology, and this progression shows no sign of slowing. Like a lot of tech trends, it has followed the path of consumer IT, and has transitioned from the commercial to the corporate world.
The smartphone, and the movement to bring your own device (BYOD), have infiltrated the workplace. A sticky consumer apparatus—first the cellphone, and later the smartphone—worked its way into consumer consciousness and has now become central to our professional and corporate routines. Smartphones represent the primary way that most people get work done. It’s how they interact with customers, and with colleagues.
Social networking followed a similar trajectory. It started with Facebook, and then reached a quasi-professional level with platforms such as LinkedIn. In recent years, social media has become a primary vector for both B2C and B2B relationships.
Why is this relevant? There is convergence between digital devices and social media. In their professional roles, more and more people are engaging with each other on mobile devices, using social platforms.
IoT is following the same adoption path as BYOD and social media. We now see wearable technology (smart watches, fitness trackers), smart speakers (Amazon Alexa), and smart TVs in the workplace. I often find myself sitting in executive offices, and there’s an Amazon Echo or Alexa sitting in the corner. People rely on Alexa to set up meetings, or to provide them with content or information. More and more executives use voice-based technologies for efficiency, since it gives them a convenient way to interface with their employees. I personally use voice and dictation to write most of my texts and emails.
The cloud behind the IoT
So, what’s the problem? What’s not being grasped? There’s a very large cloud back-end to most, if not all, IoT devices. To clarify, start thinking about the way Alexa works. It codifies your voice, sends it into the cloud, has it interpreted, contextualized, and then returns it back to the speaker. Data is being harvested and analyzed. What we’re seeing now is that in corporate environments there are several sources of data constantly being streamed to the cloud in ways that we, as enterprise IT staff, do not fully understand.
The kinds of data that consumers voluntarily surrender to the cloud are enormously personal in nature. In addition to codified voice, people share their locations, their movement habits, even their credit card numbers. Almost all this data is personally identifiable, and thus very sensitive. Yet the controls that are taken in harvesting, storing, and protecting this data are indeterminate, even weak. As a result, they represent considerable risk to the end consumer.
IoT in the workplace
Now, let’s extend this to the corporate environment. There are many IoT devices in the workplace that are interfacing with, and interacting with, the cloud. Smart TVs have applications on them that are fed by the cloud. Smart speakers are linked to the cloud. People use smart devices to obtain content, which is served up by content providers. Wearable technology such as smart watches and fitness trackers also have applications that are interfacing with the cloud, and their presence in our lives is so ubiquitous we don’t even notice it.
What about the data these devices are collecting? It could be the number of employees, or the location of staff. In the case of smart speakers or smart TVs, it might be recorded conversations, or access to boardroom meetings. All these devices could therefore divulge company know-how and secrets.
Unseen cybersecurity risks
Finally, let’s think about Bluetooth, and how it can forge unseen (and unwanted!) links between personal and corporate environments. Mobile devices on our networks are Bluetooth-paired to devices such as smart speakers and smart watches. Through the Bluetooth connection, several different things can happen: in addition to enabling a wireless connection with your headphones, Bluetooth can tether a smartphone to a computer, and transfer files. We have reached a stage in modern malware where espionage software on mobile devices is a reality, and vulnerable devices can provide access to corporate assets.
Let’s also think about the applications running on smartphones and smart devices. Do you use smart home security, a smart thermostat, or a smart dog feeder? How do smartphones interface, via the cloud, to these smart devices in your home? Dolev Farhi, moderator for the Hackable podcast and contributor of two articles to the CLX Forum book, Canadian Cybersecurity 2018: An Anthology of CIO/CISO Enterprise-Level Perspectives, has successfully hacked several IoT devices. In doing so, he was able to seize control of the data feeds going between the device and the cloud.
What happens if that device is a smartphone or a tablet sitting on your corporate network? If an active session to the cloud is seizable, I can open an https encrypted tunnel into your network. Your enterprise IT has no idea that this is happening.
Are you scared yet? You should be.