Educause Security Discussion mailing list archives
Re: iOT Devices on Network
From: Jennifer Minella <jjx () CADINC COM>
Date: Wed, 20 Nov 2019 16:26:44 +0000
Hi Jeremy! Segmentation is one piece, but there are probably a couple other critical considerations not related to architecture. Some of these concerns likely won’t apply in all unis/environments but since they’re always listening, there are growing privacy concerns related to voice-controlled devices including Echos and Google Home. Specifically there are cases where eavesdropping is a concern, but also we’ve seen subpoenaed audio, both of which could be concerning in areas with I.P. including offices or labs in research areas. As for dorms, voice-controlled devices could be exploited to violate student privacy in several ways (via both apps and direct exploits) which could put students in physical danger in certain circumstances. Other exploits/concerns would be related to how the user has configured it, including actions, ordering, and other authorizations by voice-controlled devices which could easily be exploited especially in shared quarters (rooms or offices). There’s obviously nothing you can do about that if they’re allowed since you don’t have control or visibility in to the configs, but you may want to consult the uni’s legal council about limitations of liability and/or indemnification on those matters. Of course these concerns are amplified by the devices that also incorporate video, since most researchers have found a way to remotely engage/enable video devices including those on laptops. But then again, the protection there is about educating the user vs. banning the device. Hope that gives you some ideas to start with! -jj ___________ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> jjx () cadinc com<mailto:jjx () cadinc com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Jeremy Livingston <jeremy () NJEDGE NET> Sent: Monday, November 18, 2019 17:00 Subject: iOT Devices on Network As a vCISO for a couple Universities, I've been asked to look at security of iOT devices such as Amazon Echo/dot and Google Home. Other than separate network segments or other type of segregation, what security controls have worked for you or do you recommend? Do you allow them on your main network or only in dorms? Thanks and looking forward to hearing some great suggestions! Jeremy M. Livingston Associate Vice President, Security Solutions Development & Chief Information Security Officer NJEdge<https://njedge.net/> Jeremy () NJEdge net<mailto:Jeremy () NJEdge net> 1-973-985-4996 (m) [https://docs.google.com/uc?export=download&id=1RcisHzn-Y1rh4prok4Pz5k9I6Lox1L8s&revid=0B6YwmO-r_O_PdHp5bU1oL2MrWFF6RTVvdXNpRjJjZDNHcmtFPQ] ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- iOT Devices on Network Jeremy Livingston (Nov 18)
- Re: iOT Devices on Network Ron Horn (Nov 18)
- Re: iOT Devices on Network King, Ronald A. (Nov 27)
- Re: iOT Devices on Network King, Ronald A. (Nov 27)
- <Possible follow-ups>
- Re: iOT Devices on Network Jennifer Minella (Nov 20)