Bring your own device at your company’s risk
According to experts from the French government, company information stored on personal smartphones and tablets provides potential rich pickings for cyber pirates. Of course, this risk is on the rise due to the growing corporate deployment of so-called Bring Your Own Device (BYOD) schemes.
This issue is a big worry for IT security practitioners in Europe and was debated during the latest edition of the annual meeting of Club des Directeurs de Sécurité des Entreprises, CDSE, an association of corporate security chiefs, in the French capital.
The audience was given a detailed presentation on the extent to which an employee’s personal devices can be cracked and exploited by cyber criminals.
hide
An expert from Direction Centrale du Renseignement Intérieur (DCRI), the intelligence arm of the French Interior Ministry, even performed a live break-in on a smartphone to highlight the risks that corporate BYOD programmes create.
Intriguingly, the organisers of the event were not authorised to reveal the name of the counter-intelligence officer who made the presentation.
He told participants that while smartphones and tablets have become prevalent in the lives of the general population, and more often than not personal gadgets now used for professional ends, the risks that such devices present to companies have not been fully gauged.
“The problem is not technology, but the lack of awareness of users about the risks,” the unnamed expert said. “And the awareness about risks of smartphones is zero right now.”
The DCRI estimates that there are more than 20 million smartphones currently in use in France. Their use for professional and personal purposes is only set to increase.
Worryingly, more than one third of young workers are even ready to ignore internal security rules adopted by organisations and use their personal gadgets during the working day, according to surveys conducted by the agency.
An increasing reliance on smartphones and tablets has convinced companies to try and adapt to this trend. There has been a steady rise in BYOD programmes that enable employees to access, preferentially under controlled conditions, corporate information systems via their personal devices.
As a result, information, often of a sensitive nature, is increasingly stored on internal drives of equipment over which the company has little, if any, control. Once a cyber criminal gets their hands on such devices, either through theft or by simply handling them for a few hours, accessing this data becomes an easy task.
The DCRI expert explained, for instance, that it takes about three to 10 minutes for a run-of-the mill code-breaking software to find the right sequence of characters employed in a four-digit pin code that restricts access to a smartphone. Such tools are easily purchased on the internet.
After this first barrier is breached, the complete disk image of the device can be copied in something like 40 minutes.
Once this image is downloaded, the criminal is able to use the codes that the owner of the device has stored on the disk. It is then possible, for example, to break into the internal wifi network of the firm that employs the user of the device.
The image also provides information about pin codes and passwords used for emails and banking apps. Historical web browsing information and map applications can also provide valuable data, as well as any documents, spreadsheets and presentations that the user may have copied to their device to use at home.
Criminals can use all this information in a variety of ways. For example, they can access bank accounts or send damning messages about the company using an actual corporate email account.
Some go as far as uploading compromising data, such as paedophilic images, to the device in order to taint the reputation of the user and his employers. Members of the audience were specifically told not to download bank applications to their mobile devices.
The threats are fairly obvious in the case of stolen smartphones or tablets where criminals have plenty of time to work on breaking security codes. But the risk does not stop there. Cyber criminals are more than capable of stealing sensitive information without the owner realising.
Workers who carelessly lay down their smartphones or tablets while they disappear into meetings are certainly targets. Leaving smartphones in taxis or restaurants, even if they are promptly returned, also creates huge risks.
Another risky act is to leave the devices in hotel rooms during business trips. The DCRI agent told the audience that in some countries it is quite common for hotel rooms to be monitored by criminal gangs. He showed a video of supposed hotel workers in Asia breaking into the laptop of a guest while a bedroom was being cleaned. The action was filmed by a spy-camera hidden in a table lamp.
Personal gadgets used at work can also be targeted virtually. As DCRI identified in 2011, more than 1,800 malwares targeting smartphones are in use. The agency has also warned that increased use of up and coming near field technologies will increase BYOD risks.
But the agency also said that some simple measures can considerably boost the security of a device. For instance, using a six-digit pin code, instead of four, means that criminals will need around 50 hours to find the right key, rather than only 10 minutes. An eight-digit pin code takes, on average, 165 days to break.
The DCRI has devised a list of 10 areas to consider before putting BYOD programmes into practice. They include a limitation on the sort of hardware that can be brought to work by employees, as well the use of a single operating system and a definition of the applications that can be used to handle company data.
But monitoring all actions taken by employees on their own devices is a tough task. Particularly as young workers generally believe that using their own smartphones and tablets at work is a right, rather than a privilege, as a survey by Fortinet, a US IT security firm, revealed last June.
The survey has also concluded that many young workers believe it is up to them, and not their employers, to take decisions concerning the security of their gadgets when they are using the devices at work.