BYOD is a double-edged sword for corporations. On the plus side it can save the company money and please the workers, which all seem good until you counterbalance that against the age-old problem of security. But the latest USB security blunder to surface is going to cause some real headaches.
Last week security researchers Brandon Wilson and Adam Caudill posted code to Github that could be used to replace the firmware inside an existing device and make it do almost anything, from spoof a computer's network interface, to act as a keyboard to issue commands.
"The security of these devices is completely compromised," Wilson told ThreatPost. "You can’t trust anything you plug into your computer any longer, not even something as simple as a flash drive."
Pretty scary stuff.
"It’s undetectable while it’s happening," Wilson said. "The PC has no way of determining the difference. The way a PC determines the type of device all happens through the USB and code on the other device. Our ability to control that code means you cannot trust anything a USB device tells you."
Switched on IT departments should already be on the lookout for compromised devices, whether they be accidentally infected with malware, or a.
But this raises the game. It makes it possible for any device to be compromised, and for that to be undetectable during normal circumstances.
So what can you do?
- Use endpoint security software to manage hardware, scan for malware and so on. Won't protect against the low-level vulnerability above, but it still makes good sense.
- Physically protect USB ports.
- Make hardware as tamperproof as possible. You don't want devices being easy to open, because that makes them vulnerable to tampering. Seals, tamper-resistant fasteners, and epoxy are your friend.
- Strict audit of all USB hardware. If you're ultra-paranoid then you want to have a list of everything, down to USB cables.
- Use tamper-proof USB devices, such as the IronKey USB flash drives.
- Inspect hardware regularly, and test for suspicious activity.
- Confiscate (and possibly keep for evidence or destroy) unauthorized devices.
Whatever you do, make sure that it's clearly stated in the BYOD policies, and that everyone is on the same page as to what the policies are.