Beware the IoT spy in your office or home via smart furniture, warns NSA

On this last day of National Cyber Security Awareness Month, which is also Halloween, let’s look at something “scary” – if you value privacy and security – as was pointed out recently by the NSA.

Years ago, it became a challenge to find a decent new TV which wasn’t “smart,” but now the NSA has warned that the same may become true for office furniture!

Why is the NSA talking about IoT office furniture? Because the agency has to buy desks and chairs the same as any other business. If that furniture is “smart”? Well then, that’s one more potential entry point into a network or an avenue for threat actors to gather sensitive information.

Apparently, connected office furniture is part of a growing business trend; IoT connectivity allows for the wireless tracking of how efficiently the workforce uses equipment and spaces. Data from integrated sensors in “smart” furniture is supposed to help companies improve workers’ productivity and potentially maximize existing spaces such as use it or lose it.

In the article, Connected Desks Aren’t What They Used to Be, the NSA wrote:

However, this connectivity and information gathering raises security and privacy considerations. As connected furniture becomes more common, you’ll want to consider potential vulnerabilities that may be integrated as part of an IoT wireless solution (e.g. the sensors themselves). Cloud infrastructures pose another potential vulnerability as more and more devices use the Cloud for data storage and are at risk for this information to be stolen. Privacy concerns may include the risk of revealing personally identifiable information (PII), through either accidental or intentional malicious efforts to extract information.

An October 2018 research report, China’s Internet of Things (pdf), was a project conducted by “SOSi’s Special Programs Division (SPD), the premier open source and cultural intelligence exploitation cell for the U.S. intelligence community.”

Many of you would likely rather poke a stick in your eye than read a 202-page report – a nice chunk of those pages consisting of IoT privacy policies, but it delves into how China is becoming more dominant in the IoT arena and is therefore in a position to dictate rules of international standards, including those that impact the security of IoT devices against unauthorized access.

The report looks at previous and known vulnerabilities in Chinese IoT products and discusses how Beijing’s “research into IoT security flaws and its growing civil-military cooperation raise concerns against gaining unauthorized access to IoT devices and sensitive data.” While we mostly hear about back-door flaws that enable unauthorized access to IoT devices, the report points out that “even authorized access to these devices may reveal large amounts of sensitive data on U.S. citizens.” That “authorized access to IoT data of U.S. consumers will only grow as Chinese IoT companies leverage their advantages in production and cost to gain market share in the United States.”

Not that it means your potential connected office furniture would be made in China, or contain components made in China, but… .

Now, back the NSA’s warning about IoT office furniture. The post stated:

NSA is thinking about the implications of connected smart furniture because, like business, we have to buy office furniture, too! Soon it may not be feasible to procure the old unconnected “dumb” furniture, as some estimates for growth in the smart furniture area project a 20% Compound Annual Growth Rate (CAGR) between 2018 and 2026. Not only will smart furniture be more common, it may become integrated with the rest of our connected buildings, homes, and lives to truly optimize the effects of connected things. Going forward, we will need to scrutinize all sorts of equipment to manage security and privacy implications in the workplace.

The bottom line is that connected devices provide more entry points for adversaries to attack a network than ever before. And as we enjoy more personalized care from everyday items like our office furniture, we may unknowingly be giving our adversaries more sensitive information than we intend.

You may not think that “smart” furniture will become an actual big thing, but some said that about other items – and good luck trying to find a decent vehicle or even a TV that isn’t connected. So if you want “dumb” furniture, then maybe you should consider shopping for it sooner rather than later when more office furniture will come with IoT connectivity?