IoT on campus: where it is and how to secure it
security researcher, ESET
What is a network administrator to do with this invasion of connected, and thus hackable, devices?
If you’re paying attention to the development and proliferation of “smart devices,” it can seem like they’re everywhere: internet-connected thermostats, cars, vending machines, surveillance cameras, televisions, fitness devices, and even light bulbs. But the omnipresence of tiny, embedded computers in everyday devices also has a way of making them invisible to most people. What is a network administrator to do with this invasion of connected, and thus hackable, devices?
Which “smart” devices are in schools?
While the variety of connected devices on campus may seem overwhelming, the ones you might have to worry about are only a subset of the problematic devices that are out there. Internet-connected cars are more likely to be on a cellular network than a school’s wireless network, and network admins probably have some authority to opine about whether connected thermostats or household appliances are allowed to connect. Hopefully, if “smart” vending machines or surveillance cameras are implemented, you’ll have the opportunity to weigh in on which specific devices are allowed to join the network.
The more prolific (and uncontrolled) types of “smart devices” on campus are likely to be those brought by students, and it’s possible they may not even think of these devices as internet-connected until someone or something stops them from being connected. So how are you supposed to protect your network against the tide of unsecured internet of Things (IoTs)?
What to do with the IoT in your environment?
Because options for improving security on these devices will be somewhere between limited and non-existent, much of what you can do will be in terms of monitoring and controlling traffic entering and exiting your network. On devices that are within your control, be sure to manually check for software updates regularly, and enable any security options that are available.
As we discussed in my previous two articles, when it comes to placing restrictions, context is crucial. Consider the context of use as well as misuse in each case. In areas of your network where sensitive data resides, you should have the authority to restrict which devices are able to connect to these areas, what types of traffic they’ll be able to transmit, and to what specific locations. It’s important to secure all devices, even ones that seem as innocuous as office printers.
Hopefully, you’ll have weighed in on what types of surveillance devices are used by your Public Safety department, so that at the very least you’ll be able to change the default administrator username and password to something that isn’t easily accessible to anyone who can use a search engine. If at all possible, these devices should also be on a separate area of your network that can be monitored for anomalous traffic such as sending video feeds to the wrong location.
As IoT devices could fall into the category of help or hindrance in a classroom setting, you may choose to allow teachers to decide whether or not to ban devices from connecting to Wi-Fi. This will not prevent mobile devices from connecting to a cellular network, if there is a need for emergency communication.
Safety and privacy
Another important concern regarding IoT devices is their effect on privacy and personal safety. While the information these devices store and transmit may seem innocuous, attackers can be quite creative in using it to extrapolate more sensitive data.
More and more organizations are starting to scrutinize the use of fitness devices, as awareness increases about the real-life consequences of broadcasting your location. While college campuses don’t require the same level of concealment as secret military bases, openness can bring its own set of problems. Because campuses are hives of activity, it’s easier for an adversary to take advantage of physical proximity to eavesdrop on or redirect traffic from someone’s connected device.
Colleges are especially likely to be familiar with problems associated with harmful pranks and harassment, and IoT devices are increasingly being used for these purposes as well. Few current “smart” devices are adequately monitored within the environment where they’re being used, and devices themselves rarely record logs of their own activity, so it can be difficult for the target of malicious behavior to even prove that it’s taking place.
Even passive monitoring of personal devices may be a difficult policy to sell within a higher-ed environment. By creating Acceptable Use policies that include consequences for violating the privacy or safety of fellow students or staff, you can establish that authority to investigate if someone feels they are being endangered through their IoT devices.
While the presence of “smart” devices naturally increases the complexity of your network environment, it does not create an insurmountable obstacle to protecting either people or data. By being deliberate and planning ahead, you can help mitigate the extra risk.