Home > Resource Center > Compliance > Is your docking station an ITAD security threat?

Is your docking station an ITAD security threat?

Dumb devices can be an ITAD security threat

How next-gen “dumb” devices can threaten ITAD security and disposition

Do you remember the first time you saw a new type of technology? After the oohs and aahs came the gulp as you realized that disposition policies and procedures would need to change to include this new, wondrous (and possible security risk) tech? And that your inclusion and process might already be late? 

A throwback example and big shift in IT asset disposition thinking was the first iPhone released in 2007. That was followed by iPads in 2010 (who would have thought they would be a ubiquitous business device with that silly name?). Same technology, different applications.

How about the first time you saw a solid-state hard drive (SSD), specifically if it was an M.2 or PCIe format? I remember the first time I opened a server and found a SATA DOM on the motherboard or a USB key. “Holy cow, what is that? And how are we going to wipe it or destroy it to ensure data privacy compliance?”

IT devices and technology are a Pandora’s box

It is not just the new and cool stuff that needs a secure, disposition plan. It is also the old, familiar, “dumb” devices that are jumping lanes into the intelligent data storage game. 

ITADs and ITAMs may remember the first time they pulled a hard drive from a printer. Plot twist! From the perspective of ITAD policy and processes, the data sanitization “watch list” abruptly changed to include all purchased printers. Now every model must be researched, evaluated and confirmed to determine if it is a data-holding asset. (And a printer.) 

Here is another example of a “dumb device” that is switching sides: laptop docking stations.

Don’t wait for others to keep your IT asset management list up to date

There is no ITAD all-points bulletin about sneaky technology developments to watch out for. Most of the time, you’re learning about it through the corporate or industry grapevine (like this blog), at conferences or stumbling on it yourself. 

In this case, I vaguely noticed over time that when I plugged my laptop into various docking stations, the monitor recognized my settings. Efficient? Yes. Appreciated? Definitely. Unusual? “Hmm, there’s some kind of intelligence and data storage going on here,” said my ITAD right brain to my data destruction left brain. Enter the deep dive:

Step 1: If you (ahem, me) research docking stations vs port replicators and look at the new “smart docks”.

Some laptop docking stations capture and store IP addresses when Ethernet is attached.

Step 2: You deepen the search by examining the risk factors of smart docks. And then add USB hubs to the research.

The experts are divided (for me that division increases uncertainty and boy, does that perk up my ears) Maybe the opinions are skewed by the docks the laptop is using, by brand, by functionality, by configuration.

Step 3: Add it to my ITAD list of devices to monitor for data storage capability.

As smart docks become classified as IoT devices, IT managers and ITADs need to assess the potential risk of in-use docking stations or at EOL. If the IP address is the (known) potential drawbridge over the cybersecurity moat, we all need to start paying closer attention. A docking station that opens up a laptop’s data, screen, video, audio and keystroke history is most definitely a potential threat. 

And it is already happening.

A real-life hack: A docking station is physically altered to collect information

Andy Davis, research director for U.K.-based NCC Group, built a prototype hardware device that can easily be placed inside a laptop docking station to sniff traffic and, ultimately, steal sensitive corporate communications information from the laptop.

“You see docking stations all over the place in organizations because people are using hot-desking type environments, so different laptops can be attached to [the docks] each day,” Davis says. “And they are considered a trusted part of the infrastructure: Nobody thinks someone might tamper with one or swap one for another. Admins are more concerned with protecting your laptop: That’s where the money is and the information.”

But Davis says docking stations, which are rarely secured physically, can easily be rigged with rogue devices that intercept everything from data traffic to USB devices to softphones to videoconference traffic, even if it’s encrypted. “If you have access to a dock, you have information on all the other ports, such as softphones or videoconference traffic … It can capture traffic before it’s encrypted and after it’s decrypted.”

ITAD security coming from the NIST National Vulnerability Database

The Federal National Vulnerability Database (NVD) is a public repository of known vulnerability intelligence maintained by the National Institute of Standards and Technology (NIST). In addition to security checklists, software flaws, misconfigurations, product names, and impact metrics, the NVD analyzes Common Vulnerabilities and Exposures (CVEs), assigning each vulnerability a Common Vulnerability Scoring System (CVSS) score. The NVD includes helpful information to assess risk including function and exploitability.

The NIST NVD CVE (whew!) defines a vulnerability as:

“A weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety).”

LEARN MORE: Understanding the NIST National Vulnerability Database

From NIST NVD CVE-2022-4569: Lenovo ThinkPad docking station attacker code privileges

A local privilege escalation vulnerability in the ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool could allow an attacker with local access to execute code with elevated privileges during the package upgrade or installation.

VIEW: NIST National Vulnerability Database: CVE-2022-4569

From Lenovo: ThinkPad dock firmware update tool elevation of privilege vulnerability

“Lenovo’s Hybrid USB-C with USB-A Dock Firmware Update Tool could allow an attacker with local access to execute code with elevated privileges during the package upgrade or installation.”

VIEW:  Lenovo’s product security support notice

From Reddit: “Lenovo docking station getting its own IP address separate from the laptop and sending a small amount of data to AKAMI [sic] servers every few minutes or so.”

Discussion is ongoing and clearly divided regarding the possible risk of the Lenovo Smart Docking Station. While the docking station offers convenient connectivity and functionality, critics worry that the device’s integration with various applications and devices could lead to vulnerabilities, potentially exposing user data to hacking or unauthorized access. Additionally, there are concerns about the collection and usage of user data by Lenovo or third-party entities, raising questions about privacy and data ownership.

FOLLOW: Reddit’s Lenovo discussion here and another one here

Forget “dumb” or “smart” labels when it comes to data security

What was yesterday’s smart technology is today’s so-called dumb device. The shockingly modern cellular phone of 1983 (we’re looking at you Motorola DynaTAC 8000X) is a laughably benign version of today’s hand-held computer that also happens to include mobile communication capabilities. 

So, which one is smart? 

Device intelligence is defined by time and the audience. 

For ITADs, ITAMs, IT departments and CTOs developing policies and processes to protect an organization’s data and privacy and upholding compliance regulations and policies, the definition of “smart” is the ability to capture and store data. Functionality, capability and age mean nothing. 

That is a significantly different and broader definition of smart than an IoT device, IT hardware or tech product. 

As technology continues to advance, the challenge for IT asset managers and the development of secure IT asset disposition processes lies in balancing convenience with robust security measures to mitigate data risks effectively and ensure user trust and confidence in such devices.

ITAD security starts with curiosity

Whether you stumble upon it or read a bulletin or brochure, it’s easy to recognize the new, cool IT devices. But what’s more difficult to recognize are the categorically ignored, historically “dumb” office and IT equipment and products that are evolving to handle and hold data without fanfare or notice.

“You can’t manage what you don’t know you have! A successful ITAM Program starts with awareness of the current state of the program.”
Barbara Rembiesa, CEO IAITAM

A successful ITAM program rests on the first step: knowing what you’ve got. That means cataloging new, “smart” technologies that have explicit data capturing and storage capabilities and continuously questioning and evaluating advancing categories of “dumb” devices like printers, copiers and now docking stations. If a device that was merely passing information starts saving it, it’s time to get curious. Buckle up and get ready for the data deep dive.


Read next

Sign up for email updates to receive the latest in data security options from Guardian Data Destruction >

With Guardian Data Destruction, you'll never have to worry or second-guess.

Get a Quote Talk to Us

Join Our Mailing List

Previous Next
Close
Test Caption
Test Description goes like this