BYOD Security Problems

Author: Martin Voelk
April 12, 2015

We have recently completed an assessment for a customer who had strong concerns of their BYOD approach. The results were quite shocking. Whilst the technology these days is pretty much there and matured to support BYOD, it’s once again the human user who fails as usual when it comes to basic security.

In this case the client utilised a very well known vendor BYOD solution and whilst the corporate access to BYOD devices was limited appropriately we are able to compromise certain aspects through the human element again.

Too many privileges set

Unfortunately very common and ordinary users could access resources they never should. But Admin misconfigurations allowed that.

Many Users have rooted androids

A lot of the technical staff had rooted Android phones. There are many reasons why people get their androids rooted but none of them add to security and open nice new attack vectors

Even more users had their private iPhones jailbroken

We are surprised that almost 50% of the assessed devices in our recent assessment were jailbroken. Yes people get them jailbroken at the little cell phone store to have certain features available, run non-authorised Apps etc. That they are creating a lot more attack vectors by doing so, is something the ordinary user doesn’t understand.

Private BYOD smartphones not updated

Someone should think that people update phone versions when Apple or Google release new security fixes. Unfortunately not so. Only 20% of all private phones in our assessment were kept up to date. 80% had flaws where users were simply not interested or had no time to upgrade.

Infected private endpoints

This is by far the biggest problem. Employee owned jailbroken iPhones often run infected Apps or non authorised Apps with Spyware, Malware etc. Sometimes installed as part of a legitimate looking App, sometimes on purpose. It seems to be a modern sport amongst couples to spy on each other and silently installing Spyware Apps on the spouse’s phone.

Summary:

As good as the new BYOD solutions seem, the problem relies in the “Own Device”. Own device means it is not company property and if offline Security Policies are not being enforced, they pose a massive threat to the business.

Share