What can possibly go wrong as the Internet of Things becomes more prevalent in our work and daily lives?
From passkeys to cameras in hallways to wrist gadgets that count steps and even tell time, devices at the core of the Internet of Things have become more ubiquitous than cell phones. IoT devices are inside the wheels of your car, they’re keeping track of the food in your fridge, and they’re inside the inventory scanners in your warehouse.
They are small, inexpensive, and seemingly harmless. You can buy them from Amazon, Walmart, and Home Depot. What can possibly go wrong?
The problem is that some IoT can be entry points to much larger systems, and once a bad actor uses one as a way into a network, the ensuing mayhem can be hard to track and costly to repair. In short, most IoT devices are as secure as a hundred-dollar bill on a city sidewalk, and as a copier-printer dealer, it’s part of your job to ride herd on the ones in your customers’ offices.
“Part of the problem is that they are not treated the same way as other devices on a network, so they are not always secure,” said Kevin Kern, senior vice president for digital transformation and emerging technologies at Konica Minolta. “IoT has a lot of conveniences, but like many things in our connected world, the convenience comes at a price.”
A key difficulty Kern cites is that many IoT devices are nearly invisible and rarely thought of. “They should be treated like a laptop or tablet or other device on a network, but they are often not ‘eyes on’ devices,” he continued. “This makes them more vulnerable to phishing attacks because the bad guys can use such weaknesses to get into a network, and no one notices.”
Weakness at the Endpoints
A key weakness on any device or network is the “endpoint,” a buzzword for devices at the nether ends of a network that communicate with the network. These devices may be moved on and off a network with security applied as an afterthought, if at all. Endpoints may be servers, workstations, printers, desktop, and laptop computers, smartphones, as well as IoT devices. That’s just in the office. Shift to your customer’s remote employees, and the list of devices on each employee’s unprotected network probably includes an MFP or two, personal computers, tablets, smartphones, and more IoT devices, all of which a hacker worth a can of Red Bull can use to connect to your customers’ network.
Okay, the IoT devices in an employee’s fridge or coffee maker are probably not a threat, but a home’s anti-intrusion system could be. Many of these use a home’s internet connection. And who knows what the endpoint device is? (Or even if there is one?) The endpoint could be the device someone uses to do a little binge shopping on eBay or a 12-year-old’s laptop running Fortnite while mom or dad are connecting to their offices over the local cable connection. Is any of it secure?
To start crafting a solution, talk with your customer. Encourage them to think proactively about network protection and require it for employees connecting to a central office. Many people already use a VPN (virtual private network) when connecting to their office, and as remote work becomes business as usual, it makes sense for remote workers to have VPN software on their home computers. Some employees will resist, but dealers’ customers can also appeal to employees’ own interests: Most employees probably have a variety of PII (personally identifiable information) on their various computers, so an employer can talk with them about the risks open networks may pose to their personal information while emphasizing that part of their job is ensuring that customer information is also safe and secure. If your dealership supports managed IT services, you have a dog in this hunt too because security should be part of your offering. After all, if things go a little sideways, you’ll be one of the first to get a call.
Infrastructure Security
So back to IoTs.
One potentially hazardous device that is cropping up in many homes is named Alexa. Alexa is a form of AI (artificial intelligence) that lives on the network in a home. You talk, Alexa listens, and you get the music you want or a movie on Netflix. This seems convenient, except that remote workers are using Alexa on a network that includes a computer and a printer that communicate with their employer’s office. So, the data on that network may be anything but secure. And it may not end there.
“One of the things we think of at HP is that ‘security’ is not only about the device or the printer or even the network it’s on, but also the cloud,” explained Roz Ho, vice president and global head of software at HP.
She noted that HP has both enterprise and consumer clouds that cater to the differing needs of its customers. This has exemplified how vital strong device and network security must be. “You can never rest when it comes to security,” said Ho. “Apple and Google are doing what they can, and we add a layer to make a more secure layer when customers connect to a printer.”
IoT devices are here to stay and are not dangerous in themselves. Still, they can provide an entry point for bad actors seeking to place malicious software on a customer’s computer network, so whether the device is an endpoint or not, make sure the network is secure.
“Infrastructure security comes first,” said Steve Burger, head of engineering, VP product marketing at Ricoh. “The challenge comes in the trade-off between functionality and security. Locking everything up tight has drawbacks, too, and can make a network too restrictive.”
It Can Happen Here
“Some research we’ve seen indicates that four of the top five risks to corporate security are IoT devices,” noted Konica Minolta’s Kern. Sound unlikely? It did to the hotel chain that learned the hard way that the keycards customers use to access their rooms could also give hackers access to guests’ credit card information, guest rewards accounts, and more. The thing is, all kinds of information are out there. A few minutes searching the internet shows various ways of hacking hotel-room keycards to get into any room you choose. And once someone is in the room? He or she can use a default password to open the room safe where your customer stashed a company laptop while out to dinner. According to articles in both The New York Times and Forbes, such threats are why some hotel chains are turning to check-in processes that include a smartphone app. These apps let guests operate elevators, enter fitness centers, pools, and parking garages, and open exterior doors. This shift is a direct result of IoT devices being hacked.
None of this means IoT devices should be eliminated, but they should be better controlled. Making this difficult has a certain Wild West quality to the pervasive intrusion of these devices. Unlike computers, smartphones, and printers that do many things using established operating systems, most IoT devices are designed to do just one or two things. They rely on standard-free, unique software that interfaces with existing networks reliant on Windows, Mac OS, or Linux but don’t require the overhead of the full-featured systems. As noted earlier, this semi-covert nature enables them to go almost unnoticed while providing access to computer networks that bad guys might want to infiltrate—such as the network at the accounting firm where three dozen of your copiers and printers reside.
Because the security presently installed on your customers’ networks may not be much safer, it’s up to dealers to work with customers to strengthen their networks and ensure the door locks, access cards, and endpoints are as secure as possible. Dealers can provide asom variety of technologies such as a VPN, multi-factor identification, and even a backup that provides the ability to both remotely wipe and create a trusted data store in the cloud.
Although IoT devices can be a real threat, there are, at least for now, ways of mitigating the risks. You may not yet be in the managed IT business. Still, you, your salespeople, and service techs must at least be cognizant and even conversational about the challenges your customers may face. The printer vendors interviewed for this story are fully aware of the risks and can help you provide customers with solutions that will make the networks behind your copiers, printers, and IoT devices safer and more secure. For dealers, there is an opportunity here for making sure customers’ networks, the machines you sell, and the little IoT devices customers’ employees bring to work are less likely to give bad guys access they shouldn’t have.
Access Related Content
To become a subscriber, visit www.thecannatareport.com/register or contact cjcannata@cannatareport.com directly. Bulk subscription rates are also available.
You're viewing Managing It: the Security Pitfalls of Iot, in a text-only format to view this issue in all its entirety please download it from our Past Issues page
