Bomb with lit fuseLaw firms, like most businesses today, have embraced the convenient but usually hidden technologies known as the “Internet of Things.”  This extension of internet connectivity into everyday objects and physical devices offers everything from constant video monitoring, to automatic locks, to dynamic heating and cooling adjustments.  IoT devices look, listen, transmit, and record trillions of data points, and a report by ForeScout Technologies suggests that the number of connected devices will reach more than 20 billion by next year.

But all this convenience comes at a price.  IoT devices are particularly vulnerable to compromise because they are relatively invisible to routine patching (if they allow patches), often do not have any security safeguards, and do not always have access controls.  An infected device can, for example, open the backdoor to denial of service attacks, enable hacker control of locks and surveillance equipment, open opportunities for snooping and recording of phone calls, and generally create a gateway through which to launch spam campaigns, steal data, and change credentials.

Let’s look at some vulnerable IoT devices commonly found in today’s law firm:

IP-Connected Security Systems and Infrastructure.  Think of cameras, smart meters, and HVAC controls.  Hacks of these devices can cause problems ranging from spying via video and audio, to destruction or disabling of critical equipment to disrupt operations or to allow for physical break-in.

Smart Video Conference Systems.  This category includes smart TVs, as well as DVR devices, which are typically connected via Wi-Fi or Ethernet.  Compromise scenarios include real-time monitoring of communication, as well as use of the system as a launch pad to the network.

Printers & Phones.  Wireless printers can allow almost undetectable access to confidential information (real-time or stored jobs) or, if compromised generally could allow a hacker to obtain administrative passwords and create a network bridge.  Because VoIP phones are internet connected, their configuration settings may be compromised to allow call snooping or even to create outbound calls.

Light Bulbs?  Yes, light bulbs!  According to the above ForeScout report, smart lightbulbs operate on Wi-Fi and mesh networks.  “In a wireless mesh network, the network connection is spread out among dozens or even hundreds of wireless mesh nodes that “talk” to each other to share the network connection across a large area.”  The more nodes, the more avenues for entry into a system without being on the network.

A Fine Line Between Business and Consumer Technology

Even where firms elect to limit the use of IoT devices as business technology for security reasons, other devices follow consumer employees wherever they go, including to work.  Personal IoT devices like fitness trackers, digital assistants, and even over-the-counter hearing aids can create portals into corporate networks.  “A third of companies in the US, UK and Germany have more than 1,000 shadow IoT devices connected to their network on a typical day . . . .” Most wearable devices may be used as a launching point into the corporate network if the device is not secured.  And it should also be obvious, but digital assistants like Alexa, Siri, and Google Assistant collect whatever is said in their presence—anathema to a law firm.

What to Do

  • Develop a BYOD policy that includes IoT devices, addressing which are allowed, what security is required, and what applications may not be installed.
  • Discover and inventory IoT devices that are connected to the network.
  • Consider vulnerability testing for any IoT devices under consideration for deployment.
  • Reboot smart products regularly.
  • Change default passwords and usernames, and ensure patches are applied when issued.
  • Keep connected devices on a segmented network where possible.
  • Do not purchase/allow IoT devices that cannot have their software, passwords, or firmware updated.

Last, to learn more about managing IoT risk, consult the latest publication on IoT from the National Institute of Standards and Technology, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.