BYOD is a double-edged sword for corporations. On the plus side it can save the company money and please the workers, which all seem good until you counterbalance that against the age-old problem of security. But the latest USB security blunder to surface is going to cause some real headaches.
Last week security researchers Brandon Wilson and Adam Caudill posted code to Github that could be used to replace the firmware inside an existing device and make it do almost anything, from spoof a computer's network interface, to act as a keyboard to issue commands.
"The security of these devices is completely compromised," Wilson told ThreatPost. "You can’t trust anything you plug into your computer any longer, not even something as simple as a flash drive."
Pretty scary stuff.
"It’s undetectable while it’s happening," Wilson said. "The PC has no way of determining the difference. The way a PC determines the type of device all happens through the USB and code on the other device. Our ability to control that code means you cannot trust anything a USB device tells you."
Switched on IT departments should already be on the lookout for compromised devices, whether they be accidentally infected with malware, or a device deliberately designed to infiltrate a network.
But this raises the game. It makes it possible for any device to be compromised, and for that to be undetectable during normal circumstances.
So what can you do?
Whatever you do, make sure that it's clearly stated in the BYOD policies, and that everyone is on the same page as to what the policies are.
See also: