More than 50 years ago, the CIA, in collaboration with a Dutch specialist in radio waves, tried to bug the Russian embassy using office furniture. This was in retaliation to the tapping of the US Embassy in Moscow. At that time, the technology used was revolutionary. Nowadays, we allow our office furniture to be totally connected to the internet. What are the risks of the ‘connected office‘?
In 1952, the American Government discovered that their embassy in Moscow was being tapped using an unknown technique. The listening device was hidden in the eagle donated by Russia, which was hanging in the ambassador’s office. The CIA was not able to reproduce the technique itself, and turned instead to a small Dutch company on the North Sea coast that specialized in radio waves and technology. An intensive collaboration developed , which resulted among other things in the successful placement of test equipment in the leg of the Russian ambassador’s new office desk in The Hague. ‘Operation Easy Chair’ was the start of many later espionage techniques.
Today, it seems that no complicated operations need to be planned in order to gain access to company-sensitive information. Worldwide, offices are increasingly provided with ‘intelligent’ solutions and packed with sensors connected to the internet. The NSA recently warned in an article of the risks of the connected office.
The NSA report said: “Connected devices provide more entry points for adversaries to attack and while we enjoy personalized care from everyday items such as our office furniture, we might be unknowingly giving our adversaries more sensitive information than we intend. “
Hacking IoT devices a real threat
The NSA report comes in a time whenthe public has hardly ever heard of hacking IoT, other than some large scale attacks, but where professionals are already seeing some developments which, 10 years’ ago, no-one ever imagined could happen. Darktrace is one of the companies trying to prevent attacks on IoT-networks
Nicole Eagan, CEO of Darktrace said about a year ago “”There are many internet-of-things devices, everything from thermostats, refrigeration systems, HVAC systems, to people who bring in their Alexa devices into the offices. There’s just a lot of IoT. It expands the attack surface, and most of this isn’t covered by traditional defences.“
She continued, citing an example of hacking companies in a way nobody thought of before: “They hacked a casino through its internet-connected thermometer in an aquarium in the lobby of the casino. The hackers exploited a vulnerability in the thermostat to get a foothold in the network. Once there, they managed to access the high-roller database of gamblers and then pulled it back across the network, out the thermostat, and up to the cloud.”
Hardware and software hacking
Today, everyone is aware of phishing email and viruses posing a software-based threat. The possibility of using poorly developed hardware devices to get into a companies’ networks is less known. It is even possible hackers use a backdoor in a sensor or other IoT device, that was built in by the manufacturer.
A report issued by the USCC states in its summary “China’s research into IoT security vulnerabilities and its growing civil-military cooperation raise concerns about gaining unauthorized access to IoT devices and sensitive data. In addition, China’s authorized access to the IoT data of U.S. consumers will only grow as Chinese IoT companies leverage their advantages in production and cost to gain market share in the United States, based on the terms of use and sweeping Chinese Government data access powers”
At the moment, almost everybody is aware of the tension between Canada, the USA and (parts of) Europe on the one hand and China on the other in the case of Huawei being blocked from 5G-network tenders in western countries.
New solutions bring new entrance points
The development of the ‘connected office’ whether it is with lockers including an internet based management system, a desk that has sensors for individual settings, or a meeting room with sensors for occupation control, brings new hardware and software into your office that could be used as entrance point for third parties you don’t want in your systems.
David Jacoby, Security Evangelist, European Research Center (Nordics) at Kaspersky Lab adds ”Anything communicating with anything is a potential problem, it all depends on the implementation. Let’s imagine you have an office chair, that doesn’t do anything other than register things from the user, like weight, posture, time used on the chair etc. and then wirelessly communicates this with an PC or smartphone.
Depending on how this device communicates with the PC or smartphone, different risks occur. If it’s over WIFI, maybe the private keys are stored in the chair, and bad guys can extract these keys via some vulnerability get access to the WIFI.
Other risks could be that the implementation in the chair and PC/Mobile gets outdated and years later, a researcher/hacker finds a vulnerability in that implementation resulting in further attacks. Maybe you can use the chair to communicate with other devices which its not intended to do. If you can get 100 000 chairs to communicate with the same machine, you have just created a DDoS attack/botnet.”
David continues: “If its only sensors without control, you have the same problems as the chairs. But if you also start adding additional “layers” of functionality, such as controls, you might have many other scenarios. Let’s say the attacker can force the fire extinguisher to go off, or change the heating in the server rooms, the threats grow with every layer you add .”
Office furniture manufacturers recognize possible threat
Office Furniture manufacturers are in most cases aware of the threat of hacking the equipment they are selling. Steelcase is the largest office furniture manufacturer in the world, and one of the trendsetters in the field of integration of IoT and furniture. Stu Berman, Information Security Architect at Steelcase agrees with the warning of the NSA : “Any electronic device poses a potential threat to the network and other devices connected to it. The highest level of risk is putting a device on a sensitive network with no network controls between these cloud-connected devices and sensitive on-premises systems. There are various approaches to mitigate these risks through network isolation, through network behaviour anomaly monitoring, and network access and flow control tools.”
Nick Butterfield of Herman Miller also acknowledges the possible threat: “This concern is something Herman Miller takes very seriously, and we always communicate information about this risk to our customers”
Gert-Jan de Kam of the Dutch VDB Group: “Almost all Smart Building solutions that we know use the Internet / ICT infrastructure of the user organization. Our solution “Iotspot” is, as far as we know, the only solution that makes use of mobile internet connections and functions independently. This distinction is crucial because Smart Building solutions over the user’s infrastructure pose a much greater security risk”.
‘Over 20.000 attacks on our IOT Cloud Platform’
Almost all approached manufacturers point out the differences between an IoT system that is integrated in the user’s network and a system that is separate from the user’s network. In the latter case, the risks are considerably lower than in the former. Nevertheless, Steelcase has experienced third parties attempting to gain access to Steelcase’s systems.
Stu Berman of Steelcase : “While we have not seen attacks that were able to penetrate the multiple levels of defense we have in place, we do monitor the attacks taking place. For instance in August 2018 we saw more than 20,000 attempts on our IOT cloud platform from around the world. Many originated with an IP address source in China, followed by Germany and then US registered addresses. None of these attempts was successful. ”
Threats not only online
Although one might think of an online hack in the first place, the threat comes not only from hacking a WiFi network, or a cloud solution from one of the manufacturers. Ever thought of your locks? Modern lockers in the workplace are often part of a lock management system, not only managing the locks of lockers but also of the doors in the building your office is located. Those locks are commonly operated with a card. The card sends a signal via NFC (Near Field Communication) and the lock identifies the owner of the card and grants access.
Cards can be cloned using NFC technique. Cards can be cloned when they are in your wallet or bag by someone standing next to you in an elevator. Watch this movie with a proof of concept for security badges
Erik Plasmans is General Manager of Zens, a supplier of wireless charging devices and one of the innovation leaders in this field in Europe. As a supplier to the office furniture industry, Zens is involved in the development of smart office solutions. Plasmans says: “We notice that banks and insurance companies are already separating their company networks and the IoT infrastructure for safety reasons. We also see that employees don’t want to be ‘followed’ and ‘identified’ by apps on their phones. That’s why we launch a new product in April 2019, together with Veyl: Intuitive contact with a workplace, without opening your app, without leaving personal data, without Bluetooth pairing. It works like this: people download an app from the cloud, where the user does not have to leave data to make the table go up and down. The tables themselves are not connected to the Internet, but the telephone sets up the connection with the cloud (the telephone is the gateway), which also addresses a Bluetooth module in the steering box. The (Veyhl) steering box is therefore not accessible externally via the internet, in contrast to some other systems on offer in the market.”
Awareness is key
Companies should be aware of the risks of a ‘connected office’. We invest plenty of money trying to make our computer systems safe. We protect our laptops, our mainframes, our cloud infrastructure and monitor for unwanted third parties trying to get in. We should also not forget to protect the backdoors of our office. As we mention above, Herman Miller tlls their customers about safety . Bergman of Steelcsae adds “ Steelcase monitors threats in our systems and addresses them in a timely manner through code updates or customer communications. Where a customer needs to be involved (either through the nature of an attack or through action that needs to be taken by a customer) we work directly with our customers and the dealers they are used to working with. Steelcase has incident response processes to address actual incidents.”
50 years after bugging Russian Office Furniture
50 years after bugging the office furniture in the Russian Embassy, our offices are more connected than ever. Access points for unwanted intruders are numerous and growing with the rise of connected furniture. Our systems can be hacked via a fish tank, and many other ways nobody ever thought of before. A few months ago, the Dutch Secret Service arrested four Russians. They were sitting in a recently hired van parked in a public parking place close to the OPCW. In the van, the AIVD found sophisticated tools for hacking the WiFI network of the OPCW in a way “ we have not seen before” the Dutch government said in a press release.