Much has been said recently about bring-your-own-device (BYOD). Some managers see BYOD as a cost saving measure that also makes employees happy. On the face of it BYOD sounds like a win-win. The organization doesn't need to spend as much on equipment. Employees get to use their shiny new devices that are a constant part of their lives. What could be better?
All is not well in the land of BYOD, however. Allow me to demonstrate some of the issues that BYOD brings with a brief story. I am 9 days into a 13 day intensive course entitled “Introduction to Ethical Hacking” at the university where I am employed. Many of the students in this class are freshmen. In other words, we are not talking about a group of highly trained hackers (yet!).
In order to give the students something to attack I have set up a small network consisting of a PC running Windows XP SP2 and a second PC running Ubuntu 12.10. The Windows machine is running the inbuilt Windows firewall and the latest version of AVG with Windows updates disabled. The Ubuntu machine is updated daily and runs the standard services you might expect in an enterprise environment (web, SSH, etc.). Both machines are connected to a network which has a wireless access point attached to it.
On the the 6th day of class the students were asked to attempt to breach both of these machines and retrieve any interesting files. I am happy to report that they achieved every objective I had established for them. Not surprisingly the Windows machine was compromised in a matter of minutes. The Ubuntu box fell about halfway through the three hour evaluation.
Many seasoned administrators might wonder how a fully patched Linux server could be compromised so quickly. Was the server running services that weren't absolutely necessary? Yes. Were vulnerabilities in these services exploited in order to gain access? No! What then was the source of the compromise?
As some of you may have guessed, the key to compromising the Linux machine was the Windows box. Some of the users were common to each machine. As is often the case, some of the passwords were the same between both systems. Once the Windows machine was compromised via exploiting a vulnerability in Windows XP SP2 the password hashes were immediately downloaded and all the passwords were cracked. The students then tried to use these login credentials until they successfully gained access to the Ubuntu machine.
At this point some of you might be wondering what my little story has to do with BYOD. In terms of BYOD the Windows machine represents the device your employee brought and the Linux server represents a part of your corporate infrastructure. Your hardened and fully patched corporate server has been compromised despite all your diligence and use of up to date technology.
You might object to my illustration and say that using an old unpatched Windows machine to represent your employee's shiny new iPhone 5, iPad, or other new technology isn't fair. My response to that objection is that you can't control the devices and it only takes one insecure device to bring down your entire enterprise. Also, let's be honest, some of the iOS releases have had so many security holes that they make Swiss cheese look solid.
How can we fix this situation? What if we require the employees to have a standard device which must be kept up to date if they want to use it at work. This might not be the most practical solution. We have also moved from having happy users who buy devices to use at work, to people who are upset that the company is forcing them to buy equipment for business use. If we permit a range of devices we must put some resources behind supporting them and the savings of BYOD are beginning to disappear.
For sake of argument, let's say that we have found the perfect agent that will check every single type of device employees might bring into the office for vulnerabilities upon each and every connection to our secured corporate network. Now have we made BYOD safe? In four more class days I fully expect my students to demonstrate why our networks are still not safe while performing their final evaluation in my class. How? The final evaluation requires them to hack wireless networks and then compromise the machines on the network.
The vast majority of devices you employees are likely to bring in are wireless. The worst situation involves users bringing in their own access points and attaching them to your corporate network. Even in the best case scenario where you have network using WPA2 Enterprise security another door into your network has been opened. Unlike a physical door, this door can be accessed from a distance of up to 3 miles. Still think BYOD is a win-win?
About the Author: Dr. Phil Polstra is a Professor of Computer Information Systems and Hacker in Residence at the University of Dubuque in Dubuque, Iowa. Over the last several years he has done a fair bit of conference presentations and workshops, having presented at DEFCON, Blackhat, 44CON, and B-sides to name a few. His recent research has focused on using small, inexpensive devices for penetration testing and forensics. Phil has developed several USB devices and most recently a Linux distribution for penetration testing and forensics which runs on the BeagleBoard and BeagleBone family of devices. Many of his designs are available at instructables.com. All of his work is open source. Phil has worked in the IT industry for over two decades holding virtually every position from programmer to Chief Technology Officer. His degrees in computer security, business, physics, and mathematics are an artifact of too many years spent in school.
Editor’s Note: The views expressed in this article are the opinions of the author. Security Bistro is not responsible for the article’s content or messaging.