Ken Munro, a security researcher at ethical hacking company Pen Test Partners recently spent a day rooting around in the suspended ceiling of an office building trying to find a rogue device that was unwittingly creating a back door into the client's network.
The offending device was a wireless screen sharing device -- the sort that allows you to display a presentation on a big screen or projector wirelessly from your laptop.
Mostly these devices are isolated and can only connect the PC and the screen or projector, but in this case the supplier had also plugged it into the corporate network "without thinking or asking" according to Munro. This made it possible for any potential attacker to use it to hop straight from the open wi-fi and onto the business network.
This is just one example of how adding new smart devices in the office can inadvertently weaken security.
"We've seen all sorts of wireless coffee machines brought in by people and hooked up to the office wi-fi, and we've had several cases where they have created security flaws: the smart coffee maker became the vulnerability on the network -- a jumping off point for a hacker so they can hack the coffee machine and then get onto the network," says Munro.
"We've seen vending machines that have just been jacked into the corporate wired network and become a backdoor," he adds.
The smart office security challenge comes in two parts. The first worry is the systems put in place to manage the office infrastructure. In many offices these building management systems already control doors, heating and ventilation and other systems, and have done for years.
But these were often installed with little thought for security or badly configured, and so plenty of examples can be found of these systems accidentally connected to the public internet with little or no cyber-protection. These controllers might seem like an odd or trivial target for hackers, but someone locking all the doors in the building or switching off the air conditioning in your data centre could quickly cause serious problems.
And it's not necessarily just old systems installed in more innocent days that are the main risk, either: modern fire alarm, surveillance cameras and sprinkler systems all come with remote management options, but often this is done over a 3G connection with little or no security. Munro said that smaller businesses will often use CCTV or alarm systems that are little more than consumer devices. These might offer remote control via apps, but don't have enough security in place so it's quite easy to compromise the alarm system.
The second aspect of the smart office security headache comes from the wide range of new gadgets available.
We've already started to fill our homes with smart speakers, cameras, locks, weather stations and motion sensors, and increasingly we're adding similar IoT devices in the office too. Sometimes it's the exact same hardware -- designed for home use and with a poor track record on security -- that arrives in the office. While these devices make may working life more efficient, or just more fun, they are also introducing a new set of risks.
Research by security company ESET found one (unnamed) home automation control panel designed to manage motion sensors, heating controls, shutter motors, environment sensors and smart plugs that had a number of vulnerabilities, including the ability to auto-login without a user ID or password, and a failure to encrypt data communications to the cloud. It also found cameras with video streams protected by insufficient and reversible encryption. Another security company, Kaspersky, found a hub that sends user's data when it communicates with a server, including the login credentials needed to sign in into the web interface of the smart hub -- the user ID and password.
Businesses have been here before with the bring-your-own-device (BYOD) wave, when staff started using their own smartphones and laptops for work. The difference is that there's now a wide variety of smart office devices that people can bring in and connect up.
"Who can say that the novelty coffee cup warmer that powers over USB doesn't have malware in the supply chain?" Munro says.
Smart office devices also use many different standards, which makes them hard to manage in an office environment.
As well as privacy threats due to badly designed devices, companies need to be aware of the capabilities of devices that are introduced into the working environment.
Organisations need to have a policy around the use of these smart devices: is it acceptable to have a smart speaker in the CEO's office that could be streaming conversations to a remote cloud server, where it may be stored forever? Are all staff comfortable that they may be recorded by such devices as they go about their duties?
Perhaps the most common risk is that insecure devices are rolled up into a giant botnet and then used to carry out distributed denial of service (DDoS) attacks, as was the case with Mirai. While irritating and potentially a drain on devices, this will likely have little day-to-day impact.
A spy in the meeting room
However, there is also the risk that insecure devices could be used to help snoop on your business and steal its secrets. Many of the devices we are introducing into offices, like smart speakers, are packed with sensors and microphones, and even cameras -- a potential industrial espionage package sitting in the corner of your meeting room.
In that scenario, spotting a rogue device would be extremely hard, Munro warns.
"It would be very difficult; how would you see the exfiltration? You'd have to be absolutely certain that you were monitoring all the data going out from your smart devices. How would you spot it? Would you even know that someone had connected a smart device to your network?"
Another problem is nobody may be monitoring the use of these devices at all. There is often a gap between traditional IT security, which is covered by the IT department, and physical security, which is often covered by facilities. It may not always be clear who is responsible for checking the security of vending machine or a coffee machine, for example, or the weather station the CFO has brought in from home and set up outside the meeting room.
"There's a great big gap. That's why it's so important that IT security departments engage with other departments," says Munro.
Security teams also need to search out what's in the office, he adds.
"Go and find that stealth tech. What is plugged into your network that you don't know about? Go and look hard at your coffee machines and your vending machines and see what they're plugged into. Go under the stairs, get access to the power cabinets and ask the facilities guys what's in there. Get your hands dirty."