While my career started on the technical side, first with helpdesk support and then to a technical support engineer, I have enjoyed the journey into Sales. Through this journey, I find that the best part of my day is when I get to work with customers and partners on solving technical problems. While working with organizations in the Midwest region, this is a top issue I frequently hear about, “I am concerned about smart speakers with the ability to listen and share data. I want to track them down so I can understand what are out there and where they’re located, so I can understand the risk, remove them, and educate our users about the risks.”
While devices like Amazon Alexa and Google Home are top of mind, devices like smart lights, connected thermostats, and more are equally of concern. Any device that you can audibly address and say, “Hey Siri”, “Hey Google”, “Hey Alexa!”, or “Hey, thing” to, has the ability to be a threat to organizations.
These concerns are nothing new in the security community and while this Washington Post article gives a good background on the scope and concerns around this topic, there are still billions of IoT devices and a noticeable fraction of those smart speakers. The reality is these devices can be used against organizations, if someone is enterprising enough to take advantage of them.
In large hospitals, I’ve have seen smart speakers located in board rooms, executive offices, a front information/security desk, a desk in a 911 dispatch center, a SOCs on an analysts desk, and more. These devices bring risk to an organization through external threats and especially insider threats. One individual could walk into a board room and say, “Hey Alexa, record the next two hours,” or remotely access the device for listening, before a board meeting, sharing organizationally unique sensitive data.
While there are many articles to highlight how devices users can review and delete recordings, they still pose a tremendous threat to organizations, especially when they don’t know if/where they exist.
- PC Mag – review and delete recordings
- ZD Net – research from Check Point on exploiting these devices
In my tenure at Ordr, I have worked with various organizations to locate these devices and secure their network. Here are some foundational steps I walk through:
Step 1. Find the devices/continuously monitor for these device types:
This is an easy one for Ordr.
- Ordr has profiles for all of these types of systems.
- Ordr is always on as well, so this is continuous. Not just a point in time or scheduled check for systems like this. No scanning required either – so no drops in coverage.
- How does Ordr see these systems? Just send a copy of your wireless traffic to an Ordr SCE Sensor. Ordr can see your Corporate and Guest Wireless (as that is where most of these live).
- Ordr discovers and classifies these systems, automatically. Here is a screen shot of a few examples of these types devices profiled by top manufacturers:
You get the point.
Step 2: Contextual Detail:
You will need to know where the device is, when it first appeared, where is it communicating, etc. You have more questions at this point, and Ordr has the answer.
Here is an example of the information Ordr will give you:
You need and get network detail on IP, MAC address, which wireless network it is connected on, access point it is connected to, location information, the VLAN it is on, as well as when the device was first detected and last seen on the network by Ordr. These devices come and go, so the Network Stats will capture historical anchoring into the environment to track the device while it has been in your environment.
Step 3: Removal of the Device
If you can’t get to the device physically, you can remove it from the wireless network. With Ordr integrated into your switches, NAC solution, or Firewall solution, you can either remove the device connectivity completely, or push a policy to restrict its access….until you can address the educational moment with your colleague.
Below is an example of the communications this Amazon Alexa device had in the environment, and where you would push Ordr policy from our Flow Genome to your existing security systems.
I hope you found this to be helpful.
“Hey Siri, leave comment below.”