Cheat Sheet: Smart devices
Is it safe to let Alexa onto your network?
“Smart devices” – like Hue lightbulbs and voice assistants? Is this really a business issue?
If there’s one lesson to be learnt from the last couple of decades in technology, it’s that genies don’t go back into their bottles. The devices you mention are marketed primarily at home users, but they’re finding their way into businesses, too. It’s smart to treat the current wave of gadgets as a case study, to get you ready for when the real whoppers turn up at your door – because some industrial smart devices make the familiar home brands look like absolute paragons of good citizenship. Getting it right with the first little appearances of automation technology will save you an absolute world of pain later.
Should I stick an Amazon Echo on my desk then?
It’s probably a good idea, for two reasons. First, from a business perspective, you should be embracing voice assistant devices simply because your customers will be talking to theirs, and your company’s products and skills need to be in the speech-recognition search databases – think of it as an evolution of search-engine optimisation. You might even consider developing voice-driven solutions for your customers. Quite aside from this, as I’ve mentioned, it’s never too soon to face up to the challenges that arise when newfangled toys arrive inside your corporate network, which is a whole different kettle of fish.
Are you saying that smart devices are a potential security risk?
Yes, but the question is more nuanced than it may sound. This a business that’s had a lot of early signalling in it, and that has rather muddied the water, with devices being described as smart that are nothing of the sort. Some of these can be very dodgy indeed: you have probably heard of the “smart” fridge that got exploited and turned into a junk email relay. Or, the cylindrical hotel I visited in New Orleans a few years ago, which lit up like a segmented, wriggling 26-storey worm when its entire fleet of in-room “smart” TVs was hacked. It turned out they were built on Windows XP: a good rule of thumb is that if you see the XP logo, that automatically disqualifies any claims about smart capabilities.
Even leaving aside such optimistic misnomers, there are plenty of potential misapprehensions out there. For one, little distinction seems to be made between “smart” devices that process input and the “smart” devices they control, such as those smart lightbulbs – even though they need to be handled quite differently.
So how can we tell which consumer devices are safe to use in a business setting?
The honest answer is that you can’t. Unfortunately, if you tell that to an overeager manager, they may just go and find a different expert to tell them everything’s fine.
The message, therefore, has to be that with today’s smart devices there is no perimeter. In a traditional network, you would enforce security measures at the border of your network; when devices are in constant contact with their control centres, no fortification can fully protect you from hackers, nor indeed marketeers.
What can we do?
Treat every device as untrusted: work out its communications requirements and give it nothing more. If possible, make each unit believe it’s alone on the network. The necessary features don’t have to be expensive, even at the bottom of the market. Set up a four-port router with a different VLAN on every port and that will eradicate a whole swathe of concerns at a single strike.
Isn’t anyone making businessgrade equivalents to these things?
Arguably, the business-grade versions are the originals. Tandberg cameras, Crestron Controllers, Polycom conference phones: they’re not marketed like consumer gear, but they embody similar principles. Building-access and HVAC systems may also qualify, although they focus on security rather than fripperies like voice control. And this is good news: it means your IT department should already have an idea of how to deal with “smart” hardware.
“Treat every device as untrusted: work out its communications requirements and give it nothing more”