[Originally appeared in For the Defence, Criminal Lawyers’ Association Newsletter, Vol. 35, No. 1, March 2014, pp. 16-18]
Lawyers are aware of the risks in storing client confidential information on computers. Much recent discussion has focused on which was safer, your local computer or the cloud. These technology questions revolved around control, among other things. A criminal law practice may be particularly concerned with the balance between storing information on remote servers in a foreign country that may be more susceptible to government intrusion versus keeping it on a drive in your office.
Technology does not stand still, though, and there are a growing number of devices beyond your laptop or desktop PC entering law practices that, while not storing confidential information themselves, may be potential leakage points for it.
Welcome to the Internet of Things.
The phrase is becoming more common as the number of consumer devices connecting to the Internet grows. These devices, which range from coffee pots to lighting to baby monitors to medical device implants, are simply electronic products with the ability to connect to the Internet.
The challenge arises with the changed mindset around these appliances. We are accustomed to having our computer operating systems upgrade themselves periodically. Our computers are devices we will often keep for three, four, even a half dozen years.
In contrast, many consumer devices are designed for the throwaway society. The producers keep the costs low with built-in obsolescence. The devices are not made to be upgraded or improved, and they use free or homegrown software that lacks ongoing scrutiny for security or other flaws. They may also contain Internet-enabled features that you wouldn’t normally expect.
A recent example involved LG Smart TVs. Some purchasers noticed that their TV had a setting that sent information about what you watched back to LG over the Internet. This is common in Internet-enabled TVs. Unfortunately, while you could turn the feature off, it would continue to send information back to the mother ship. Additionally, as people looked more closely, it was also searching for other files and sending the file name information back to LG.
This might not seem important on the surface. But think of the file management discussions and tips lawyers share. One of them is to use the full 250-odd characters in a filename and put them in folders based on client and matter. Potentially your filename at c:\my clients\earp wyatt\burglary\k-boutique-March-18-surveillance-video.mpg could be sent across the Internet to your TV or other device manufacturer.
Everything that is connected to the Internet of Things will require an increased level of awareness for potential risk. Stories of people remotely controlling the lighting in a house to yelling at a child over a baby monitor are examples of devices that were improperly secured. At the least your devices should be properly password protected, so don’t give your coffee maker the username “coffee” and the password “pot”. But you may not be able to fix the security gaps left by the product manufacturer. It could be disastrous if a confidential discussion with a client in your office is picked up by a device and broadcast or recorded without your knowledge.
One thing you should do with each Internet-enabled device is determine whether, in your office or home, it needs to be Internet accessible. Just because it has the ability to connect doesn’t mean you should allow it to do so. If you decide that the Internet connectivity is important, than make sure it is secured. You might put it behind your law firm’s firewall, so that you can block its ability to transmit or receive information from the open Internet. You could still connect to it from within your office network. Alternately, you could place it outside your firewall in the so called “DMZ“. That provides the device less protection against Internet attack but it can also limit the internal network resources it can see.
Bruce Schneier discussed the growing risk, and opportunity for exploitation, of the network router in an opinion piece on Wired in January. Solo and small firm lawyers often use consumer networking products because they provide the right features at the right price. But if Mr. Schneier is correct, these routers – our connection from internal office and home networks – could be highly vulnerable to attacks. It is not hard to imagine a router being exploited and all of the traffic that passes through it being recorded: passwords, file metadata, plain text e-mails, etc.
Many network attacks happen when an attacker stumbles upon a vulnerability, not because the victim is targeted. The 2013 IBM Cyber Security Index found 49% of attackers are opportunistic, while 23% are the spooky, cyber terrorists and criminals. Throw in that 15% of attackers are employees, and it can give you some perspective.
Here are some steps to reduce the likelihood that someone will stumble across a vulnerability that will expose your law firm:
- log in to your network router and make sure it always has the latest firmware (software) to close any security holes discovered after you bought it. If you don’t find any updates and you’ve had the router for awhile, consider getting a newer one;
- Test what network ports outsiders can discover, using GRC’s Shields Up test. The more intrepid might follow the directions in Gain Information for an Ethical Hack from Open Ports, from Hacking for Dummies, by Kevin Beaver. A port is an opening that allows information to go into and out from your network. Most will allow traffic on port 80, which is for Web pages.
- See if your network Internet (IP) address is listed in ShodanHQ, a database of sites that have been “discovered” and could be susceptible to an opportunistic attack. It will list the devices – a Web server, a networked hard drive – it has found, and you can then remediate them on your network to block access.
The Internet of Things is coming. Look for more devices coming into your home and office with wireless “wi-fi” enabled. These devices want to be found, and you will need to hide them, secure them, and change their login settings, so that they aren’t found by the wrong person or device. We are moving from security through obscurity to a period when lawyers need to be more pro-active in ensuring that the technology they use isn’t communicating client confidential information without us knowing.