Re: iOT Devices on Network

[Jennifer Minella <jjx () CADINC COM>]

Hi Jeremy!
Segmentation is one piece, but there are probably a couple other critical considerations not related to architecture.

Some of these concerns likely won’t apply in all unis/environments but since they’re always listening, there are 
growing privacy concerns related to voice-controlled devices including Echos and Google Home. Specifically there are 
cases where eavesdropping is a concern, but also we’ve seen subpoenaed audio, both of which could be concerning in 
areas with I.P. including offices or labs in research areas. As for dorms, voice-controlled devices could be exploited 
to violate student privacy in several ways (via both apps and direct exploits) which could put students in physical 
danger in certain circumstances.

Other exploits/concerns would be related to how the user has configured it, including actions, ordering, and other 
authorizations by voice-controlled devices which could easily be exploited especially in shared quarters (rooms or 
offices). There’s obviously nothing you can do about that if they’re allowed since you don’t have control or visibility 
in to the configs, but you may want to consult the uni’s legal council about limitations of liability and/or 
indemnification on those matters.

Of course these concerns are amplified by the devices that also incorporate video, since most researchers have found a 
way to remotely engage/enable video devices including those on laptops. But then again, the protection there is about 
educating the user vs. banning the device.

Hope that gives you some ideas to start with!
-jj
___________
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com<http://www.cadinc.com/>
jjx () cadinc com<mailto:jjx () cadinc com>
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]



From: Jeremy Livingston <jeremy () NJEDGE NET>
Sent: Monday, November 18, 2019 17:00
Subject: iOT Devices on Network

As a vCISO for a couple Universities, I've been asked to look at security of iOT devices such as Amazon Echo/dot and 
Google Home.

Other than separate network segments or other type of segregation, what security controls have worked for you or do you 
recommend?

Do you allow them on your main network or only in dorms?


Thanks and looking forward to hearing some great suggestions!



Jeremy M. Livingston
Associate Vice President, Security Solutions Development & Chief Information Security Officer
NJEdge<https://njedge.net/>
Jeremy () NJEdge net<mailto:Jeremy () NJEdge net>
1-973-985-4996 (m)
[https://docs.google.com/uc?export=download&id=1RcisHzn-Y1rh4prok4Pz5k9I6Lox1L8s&revid=0B6YwmO-r_O_PdHp5bU1oL2MrWFF6RTVvdXNpRjJjZDNHcmtFPQ]

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community