I’ve been on a bit of a hiatus from posting over the past couple of weeks, during which I had a bench trial on a trade-secrets injunction. Since that case is still pending, I’m not going to write about it just yet.
Today, let’s look at the so-called “internet of things” — the increasing number of household, business, and other objects that are now internet enabled. I love being able to access things like my home alarm and thermostat remotely via my iPhone. And there’s no question that the “internet of things” will be growing exponentially in the near future. But does this present a threat to trade secrets and proprietary information?
A recent blog post by Michael Jordon shows the risks. He exposed security weaknesses in internet-enabled printers by getting a Cannon Pixma wireless printer to run the classic video game “Doom.”
The post contains a lot of technical details. But most importantly, his exercise shows that internet-enabled printers lag far behind traditional network devices when it comes to security. This is critical: if someone can hack into your company’s printers, they could have access to all of the documents that were printed.
Jordon’s organization recommends avoiding the internet of things entirely:
Context recommends that you do not put your wireless printers on the Internet, or any other ‘Internet of Things’ device. To defend against the CRSF [cross-site request forgery] attack, well don’t follow any dodgy links is the best advice I can come up with. Context is not aware of anyone in the wild actively using this type of attack, but hopefully we can increase the security of these types of devices before the bad guys start to. Finally, make sure that you always apply the latest available firmware to your devices. This is often not an automatic process and may require checking on the manufacturer’s website for updates.
As time goes on, it will be very difficult, if not impossible, to avoid using the “internet of things” in a business context. When you do connect devices to the internet, assume that they have security vulnerabilities. Thus, before connecting the device to the internet, you need to work with your IT department/consultants to make sure that it has adequate security features.
Good advice. I also advocate making sure you have separate networks in the business, with the IoT TUPE devices segregated from your critical business information servers. This when the inevitable security breach happens, there is a good chance you can isolate it.
“TUPE” above was a gremlin – was suppose to read IoT type devices…
Pingback: The Insecurity of the Internet of Things | Cyber Matters