Enterprise mobile security tools may not protect BYOD
Connecting state and local government leaders
In a Black Hat presentation, a security consultant explained how existing EMS solutions could often be ineffective, even on standard, non-jailbroken personal devices.
For employees, bring-your-own-device workplace policies can increase efficiency and improve remote work capabilities. For the organization, BYOD can reduce equipment costs, but it can also open the enterprise up to all sorts of new exploits and breaches.
In his recent Black Hat conference presentation, Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions, VantagePoint Senior Security Consultant Vincent Tan discussed the growth of BYOD and the software that protects personal mobile devices used in the workplace, as well as emerging techniques to better secure these devices and ultimately enterprise networks and data.
Just a few years ago, many agencies were on the fence about employees using their own smartphones, tablets or laptops for work, or they disallowed it all together. But now, more organizations are setting BYOD policies that permit or even encourage people to use their personal computing devices to increase productivity, allow for the easier remote access and work-from-home capabilities, and reduce the organization's IT costs related to buying, outfitting, maintaining, updating and fixing the laptops and smartphones issued to employees. This trend is expected to cause the global market for BYOD and enterprise mobility solutions that support it to quadruple in size over the next four years, jumping to $284 billion worldwide by 2019.
“Mobile devices are a little different in terms of attack surface than your traditional laptop computer,” Tan said. “Everything is moving to these platforms now.” With the Internet of Thing spurring IP access to all manner of equipment and industrial systems, a growing number of enterprise access points will quickly be controlled through mobile or non-conventional devices, he said. That makes it imperative that those devices be secured.
“BYOD software is used by some of the largest organizations and governments around the world,” Tan said. “Barclays, Walmart, AT&T, Vodafone, United States Department of Homeland Security, United States Army, Australian Department of Environment and numerous other organizations, big and small, all over the world.”
These enterprise mobile security (EMS) products promise to deliver data, device and communications security for enterprises at the application, network and operating system layers, Tan said. They aim to solve a host of data, loss and network privacy concerns, as well as the possibility of jailbreaking or rooting devices, which would typically make them more susceptible to breaches and exploits.
In his presentation, Tan used Swizzler, a tool that allows mobile app penetration testers to bypass the protections that EMS solutions implement, to show how existing EMS solutions could often be ineffective, even on standard, non-jailbroken devices. In some cases, he said, these solutions could even expose an organization to unexpected risks.
Using the Good Technology EMS suite as an example, Tan said such solutions were somewhat limited (or could by bypassed) because of how they used various security mechanisms, including application screenshot caching, antistatic and antidynamic analysis, injection detection, antidebugging and jailbreak or root detection. In addition, Tan’s penetration testing revealed issues with the EMS solution itself, including how it implements binary protections and intranet access.
While Tan did not discourage IT security professionals from embracing the BYOD trend, he underscored the importance of understanding the potential risk that comes with bringing personal devices into the enterprise -- even if the enterprise is using security solutions. “Whether you are a CXO, an administrator or a user,” Tan said, “you can't afford not to understand the risks associated with BYOD.”