Is Facebook’s Rooms App a Danger to Network Security?

When Facebook’s Rooms app debuted in late October, it created a great deal of buzz. No longer would we have to force our friends to endure our love of an obscure television show or fuzzy white cats through endless Facebook posts. With Rooms, we could join private chatrooms — completely anonymously — and discuss our favorite topics with other likeminded individuals.

The idea of anonymous chatting isn’t a new one. In the early days of the Internet, chat rooms and messaging were all the rage, with people connecting with each other all over the world. The growth of social media has taken away most of the ability to be anonymous. Instead of hiding behind a clever moniker, it’s now more fashionable to share every detail of our lives online, and to connect every aspect of our online experience to our profiles.

Except not everyone wants to be on display, and the growth of other anonymous sharing apps like Secret and YikYak indicate that individuals still want to retain at least some degree of privacy. And that’s where Rooms comes in. While the other anonymous sharing apps do rely on at least some of your social circle (Secret, for example, shares information anonymously with and about people in your contact list), Facebook Rooms operates completely separate from your social sphere. You need to be invited to a room, which is done by QR code, but once you are in, you can register under any name you wish, without having to provide any personal information.

And while that it great if you want to talk about books or get advice for embarrassing situations, for many IT professionals, Rooms and other apps like it are of great concern when it comes to ensuring network security.

Sharing Secrets Could Spell Doom for Security

Studies show that disgruntled employees are already the greatest risk to network security, more so than outside hackers or viruses. In fact, even the Department of Homeland Security acknowledged that employees who are unhappy at work or who have been recently let go are actually a threat to national security, especially if they still have passwords and access to their employer’s network.

Disgruntled employees are such a risk because they have information, especially if they work in the IT department. However, even those employees who don’t work in IT can be dangerous. They know passwords, what’s contained in specific databases, and the ins and outs of how the company operates — all information that could be useful to a hacker who wants to gain access to that company’s data.

So where do Facebook Rooms fit in? By providing a completely anonymous forum in which virtually nothing is off limits (the terms of service do prohibit hate speech, threats, and offensive content); unhappy employees have a place where they can safely vent — and possibly share company secrets. There is nothing to stop someone from creating a room under the guise of another topic, and then providing hackers with everything they need to access a secure network.

Some might argue that this isn’t much different from the discussion boards available online already, where people can create alternate identities. The difference is that Facebook Rooms is only available via mobile (and currently only on iPhones), which are far more difficult to trace than a traditional chat room. In fact, the app does not collect any information about Rooms users, and while it has the ability to block devices that are used to post offensive content, it does not collect any other information that could be used to identify a user. Therefore, it’s virtually impossible to determine who is responsible for sharing sensitive information — assuming that you even know it’s out there.

A New Frontier in Security

Rooms has IT security teams concerned, and one of the major issues is that there is very little they can do about it. Some companies already prohibit employees from accessing social media via corporate networks due to the security risks, and it’s possible that Rooms could join the list of banned applications. However, that doesn’t address the issue of employees (current or former) sharing information on their own time.

For that reason, it’s important for security teams to continue their existing efforts, and pay close attention to anomalies on the network. Carefully evaluating traffic in and out of the network and reviewing logs will usually reveal gaps that could spell trouble. Facebook Rooms may not be at the center of an issue, but it certainly creates the potential for a significant security gap.