Smartphones: Destroying your perimeter one device at a time

Sounds like an overstatement, I know. Smartphones are incredibly powerful devices that open up a world of possibilities for communications versatility on a tiny platform. Consider this statistic: "...48% of employees are allowed to use their personal smartphones to connect to corporate systems – on the flip side, 70% of employees are permitted to use their company-provided smartphones for personal business."   -

That's not a security-minded practice. I have been listening to C-level decision makers this year in conferences using phrases like "If you can't beat them, join them." "We must learn to work with social networks because this upcoming generation expects it." These are interesting perspectives and quite a shift from the website blocking and strict rules we all experienced just a few years ago. Perhaps they decided breaches were still happening then so why keep fighting the tide. Whatever the decision, the smartphone is the most significant piece of your enterprise that is walking around in someone's pocket, getting lost on the subway, or stolen. If you allow these devices to connect to your enterprise, are you fully aware of the device's capabilities? I don;t mean what the manufacturer said it can do, although that's a great place to start, I mean what is it actually capable of? Do you know if the security features touted by the vendor can be bypassed? Over the past several weeks there have been vulnerability reports issued for iPhone and Android Platforms. The last time I tested an iPhone the encryption was purposely defeated by the operating system kernel. If you allow Android phones they were designed to be flexible and open platforms, security was not the primary consideration. What kind of threats can this pose to your organization? My phone is the Google Nexus One running the latest, 2.2, OS. In addition to the phone's native capabilities, I have rooted it and installed a custom ROM. Performing these actions has given me complete control of the phone's hardware and allowed me to install Ubuntu 9.10. Once I had the Linux distro stable I installed nmap, OpenVas, and metasploit. I also installed etterrcap, wireshark, and a few other tools before running out of space but you get the idea. My phone was now as weaponized as a pen testing laptop. The only downside being storage and the typing was terribly painful.

I know your users will bug you until you must allow whatever platform they think is the coolest, I mean the one that makes them the most productive when not at their desks. As you implement these devices the risk they pose should be considered carefully and the platform should be thoroughly tested. If your organization is not capable of hacking on the devices, it may be worth the investment to contract an outsider so you know exactly what you are getting.

No comments:

Post a Comment