Army reminds remote workers that in-home IoT devices pose security risks
The Army wants to be sure teleworkers aren’t letting smart devices in their home listen in on any government work.
In a May 25 memo, Army CIO Raj G. Iyer laid out mandatory procedures remote workers must use to mitigate leaks of official government information. They apply to all military components, civilian employees and contractors.
Effective immediately, the memo states, the remote work environment for all approved teleworkers must free of internet-of-things devices. That includes more than 70 types of devices, from Bluetooth speakers, fitness trackers, smart kitchen appliances, TVs and gaming consoles and home security systems. The memo makes particular mention of personal home assistants – like Alexa and Siri -- from Amazon, Google, Microsoft, Apple and others.
If that’s not possible, teleworkers must remove from their workspaces all loT devices with an automated listening functions, such as smart TVs and smart speakers. Additionally, teleworker should turn off personal smartphones or tablets their work area or disable the "audio" access function, such as voice to text and automated assistants such as Siri.
“Personal home assistants capture and record good or bad conversations and activities within a home,” the memo states. Powered-on digital assistants can be listening and recording conversations, and even accidently recorded background chatter can include audio or images of critical unclassified information, personally identifiable information or Defense Department mission and operational data.
IoT-collected data from smart devices poses security and privacy risks, Iyer said. Law enforcement can access it for investigations, as can marketers for promotions. The service providers’ data can be hacked, and foreign intelligence services use connected devices to collect information for espionage, the memo says. The devices can also be leveraged for a botnet, much like the Mirai malware that in 2016 hijacked unsecured IP-connected CCTV cameras and launched a DDoS attack on an internet infrastructure company.
Teleworkers should be aware that these connected devices are less secure than conventional IT equipment, the memo states. They often use default user names and passwords, and their connected nature offers adversaries a large attack surface. Risks are not limited to remote workers. Teleworkers’ connection to DOD networks may “affect the security posture of DoD information systems and alter the information system's risk assessment that may then require the allocation of additional security controls or the introduction of compensating controls to reduce risk to acceptable levels,” Iyer wrote.
“At a time when the majority of the workforce is remotely teleworking, loT devices are an area of concern because it is likely that teleworkers use their personal devices, while connected to DoD's networks for official business conversations, in the vicinity of a smart device or application (e.g., Amazon's Alexa),” the memo states. “For these reasons, teleworkers must incorporate strong cyber hygiene practices in their daily telework routine.”
Connect with the GCN staff on Twitter @GCNtech.