Sometime in the future — perhaps tomorrow —another office employee will bring in a new smart device to work. 

After connecting to the office wireless network, that device might communicate with other technology to make coffee in the morning, monitor air temperature throughout the building, dim the lights as a sales presentation loads on the TV, and vacuum the floors after work hours. 

These devices might work on their own or in tandem with others on the wireless network, but businesses introducing “internet of things” devices — known as IoT — should take a deeper look at the effect these devices might have on business security, experts say. 

Versions of network-connected devices have been part of business, particularly manufacturing, for a long time, said Eric Davis, assistant professor of computer science at Iowa State University. 

Today’s IoT devices connect wirelessly to an internet network and have the ability to collect and share data. These devices have started taking over small tasks — iRobot’s Roomba vacuum, for example, or a programmable coffee maker. 

“This is the biggest challenge that I think people don’t realize with Amazon Alexa or IoT devices. The consumer-facing IoT devices that everyone wants in the workplace or their home … they are primarily ad-collection devices,” Davis said. “They’re not being paid for by the company in full, they’re being paid for primarily in ad revenue, which means that there are other people listening in at all times.

“The risk is less that anyone is going to directly overhear a conversation; I think that’s what everyone thinks about with IoT devices,” Davis said. “What’s more likely is just that these devices are collecting information about this space, about the environment, and profiling both the companies and the individuals within the company.” 

Data vortex
By nature of its service, Businessolver, based in West Des Moines, handles a lot of data. The company provides an employee benefits management software system and supports about 9 million people, including Businessolver employees, in the SAS (software-as-service) platform.  

Tom Pohl, vice president of IT systems at Businessolver, spends a lot of time thinking about how he can break into his company’s own system. 

“Information security is near and dear to us,” Pohl said. “Personally from a business aspect, internet of things doesn’t even belong on the network anyway.”

Preventing inappropriate usage of data starts by analyzing any potential risks an IoT device presents to each business — particularly leaving an open door for hackers to access the private network, Davis and Pohl said. 

“You always have to look at the risk of exposure of what you do and make that determination for yourself … ‘is this providing me enough value to put it in a place where someone else could potentially abuse it or take advantage?’ ” Pohl said. “It’s these questions that businesses should be asking. I think a lot of places don’t.” 

Just about any product can be an IoT device.

Lightbulbs and smart sockets are common search results over at Amazon, but you can also find an Alexa-compatible door lock, Alexa-compatible WiFi oil diffusers, smart LED lamps, smart cordless window blinds, coffee makers, thermostats and more. 

“Our landlord put in a new HVAC system that controls heating and cooling. That’s all network-connected — not to my network,” Pohl said. “Other things — AV systems, like your television sets in a conference room — everything now seems to be capable of being connected to the net. Whether or not you choose to connect it, or you choose which segment or which network you connect it to, is a whole other story.” 

IoT devices have extra capabilities — such as a built-in wireless router — to ease the device’s setup as consumers seek to control more from fewer points of access, like a smartphone. When it came to the robot vacuum cleaner Roomba, designers built in a personal cordless router. 

“They found more and more consumers wanted to set up the devices not by pushing a bunch of buttons on the shell, but by connecting their phone to the device,” Davis said. “The problem they had was, how do you connect to the device when the device doesn’t know the password to the internet? There’s no keyboard on a Roomba.” 

Multiple brands of IoT devices on the same network can be rooted, or given administrative-level access. Depending on the office, it could turn into a patching labyrinth. 

“Now you have to worry, is your firmware on your thermostat up to date? Is your firmware on your smoke detector up to date? Is the firmware on your door cam up to date?” Davis said. “All of these things create an update hazard, because much like your computer — I think we can all relate to the fact that your computer says, ‘Hey, updates need to be installed,’ and at the end of the day a lot of us click ‘Remind me tomorrow.’ ” 

“Nowadays it’s like, ‘Why wouldn’t you put it on the network?’ Well, there’s a lot of good reasons,” Pohl said. “I protect things, but in order to protect things, you’ve got to know how to break into them.” 

“The big problem that WiFi presented a lot of businesses was the inability to fully control all network connections through physical audits. It does create some problems for businesses,” Davis said. “It’s hard to prevent people from opening up their own WiFi  and hot-spotting off their phone, and then connecting their computer to both that and the internal network, which creates a wide-open gateway into your internal system.” 

Intentional abuse
In the watch against bad actors, Pohl will pay penetration testers to see who can break into his company’s system. 

“I’ll hire people on an ongoing basis to come try to break into our system. … Anytime you introduce new code, or you change the functionality, you are potentially opening yourselves up to new risk. Security’s never done.” 

“If you know how to break into a system or abuse the system in a way it wasn’t intended to be used, then you can try to protect against it,” Pohl said. “It’s not just bad people on the internet. Sometimes it’s unintended issues, unintended consequences.” 

It’s not that hard to find unsecured networks. The search engine Shodan.io scans the internet for internet-connected devices — everything from refrigerators to power plant servers, as it advertises on the homepage.

Through Shodan, Pohl has found printers from school districts that are publicly accessible, he said, that will include email addresses users could harvest to include in spam lists. 

“We’ve got kids in schools, and I’ve seen a lot of IoT things directly connected to the internet that are publicly accessible to anybody in the world,” Pohl said. “An HVAC system that’s directly connected to the internet and publicly accessible could potentially be compromised and used as a pivot to get inside somebody’s network and gain access.” 

A stray IoT printer in the school counselor’s office could lead a hacker to names, Social Security numbers or other personal information. Pohl, who once hacked a lightbulb to gain access to a DVR player during an information security conference, says it’s not that hard to follow the signals. 

“So if an HVAC system is on the outside of the network, and it’s on the same network that’s connected to, say, a file server that has [personally identifiable information], if I can break into the IoT system from the internet and pivot … and access their file server, now it’s potentially possible for me to gain access to a lot of personally identifiable information because their HVAC system was on the internet,” Pohl said. 

“The information is out there and it is available, but sometimes it’s confusing, sometimes it’s contradictory. I think with all things, there’s an education gap that we’re going to be fighting for a while,” Davis said. “Everyone says, ‘I don’t need cybersecurity, I’ve never been hacked.’ That’s what everyone says until they get hacked.” 

Pohl and Davis both recommend that businesses start segmenting networks — separating public WiFi from employee networks, and assigning a network strictly for IoT devices, separate from a network hosting sensitive business information. 

“I go to a bar and I get on the network. What should I have access to? The internet,” Pohl said. “What shouldn’t I have access to? Your point-of-sale register, your music device, anything else. … Each segment of your network is isolated and can’t talk to the other segments.”

Startup founders and telecommuters working out of a shared coworking space have to be aware of their personal internet security: running an antivirus program on their computer and enabling a firewall to prevent file sharing when they may not have control over the network. 

“A lot of people working in these coworking spaces don’t have a threat model where they need to worry about the guy next to them hacking into their stuff … [but] it’s definitely a question that needs to be asked,” Pohl said. 

The publicly covered Target data breach announced in January 2014 likely stemmed from failure to segment network systems so a third-party vendor couldn’t access point-of-sale systems within Target. In February 2014, ComputerWorld reported that Target’s attackers leveraged access through third-party vendor Fazio Mechanical Services, which managed refrigeration and HVAC systems for Target. Fazio had access rights to Target’s network, remotely monitoring energy consumption and temperature — which allowed attackers to access Target’s network undetected and upload malware programs. 

Small businesses like Fazio, which specialize in third-party vendor services, have to manage those risks as well. Pohl recommends that businesses consider both sides of the coin — protecting themselves from vendors, and protecting parties the business serves — to ensure an attacker doesn’t slip past protected lines. 

“It’s the kind of thing where you might not know anyone who’s been in a car accident, but we all buckle up because we see stories on the TV all the time about car accidents that happen, and we have kind of an understanding that it can happen to anyone,” Davis said. “It’s much harder to get people to understand it with privacy breaches or cybersecurity breaches.” 

Prevention
For its own company security, Businessolver hosts security awareness programs for staff members to teach them how to recognize potential security breaches, such as spam emails.

“Being abused and used is probably one of the biggest risks. Your resources and your infrastructure may be unknowingly used to help someone else perpetrate a crime, and could be used and abused to help perpetrate a crime against you,” Pohl said. 

Not every small business has the resources to dive extensively into cybersecurity needs, he said. 

“Who’s doing that for the small, five- or 10-person business? Are they even thinking they need to worry about that?” Pohl said. “They’re probably not. I’ve been in the small, five- to 10-person business, and I know that’s not your priority. Your priority is making money, daily operations to keep your business moving forward.” 

To bridge that gap, Pohl and his colleagues in Des Moines’ information security industry also host the monthly group SecDSM as a way to educate other businesses and Iowans about cybersecurity risks, and keep IT professionals in tune with industry challenges. The event has also hosted free workshops for school district and nonprofit employees, who otherwise wouldn’t have training to manage network security. 

“One of the real challenges within security and privacy is to show you the benefit you derived from something whose effects you never saw, because you never got impacted by a breach,” Davis said.