How do I secure my network for BYOD?

When a BYOD user or visitor needs network access, how do you roll out the welcome mat without leaving the door wide open to anyone who wanders by? Plenty of organizations use conventional pre-shared keys or MAC authentication to get BYOD users and visitors on the network. These mechanisms while seem reasonable have some major security flaws. What’s so bad about traditional pre-shared keys(PSKs) and MAC authentication for guest and BYOD onboarding from an IT security perspective?

Let’s look at some issues:

  1. What’s the problem with pre-shared keys?

When users ask for “the Wi-Fi password”, they are asking for pre-shared keys. Suppose an IT administrator sets up a Wi-Fi SSID with an assigned PSK, and then simply gives that PSK to anyone who requires network access. Maybe you even use this approach yourself—why not? Well, for a few reasons.

Start with the fact that when you have a single Wi-Fi password, you have no way to control who has access to it. Users can—and do—share Wi-Fi passwords with others, even people you might not want to have access to your network. When everybody’s sharing the same password, there’s also no way to revoke access to an individual user—say, when someone leaves the organization.

2. What about MAC Authentication?

At least PSKs encrypt data traffic in transit over the air. When you use MAC authentication to provide network access for BYOD and guest users, that’s not the case. Anyone can intercept that data traffic. Attackers also find it easy to spoof MAC addresses and thereby gain unauthorized access to the network.

With both PSKs and MAC authentication, you have no way to associate each device with a user. There is no effective way to block a device / user from the network for either accessing network or limiting the device’s usage on the network

Solution: The key steps to mitigate risks with the BYOD devices are:

  1. Protect sensitive data
  2. After securing your data, you must ensure the security of your network. Instead of relying on generic firewalls for your data security, it is important to deploy a dedicated solution. Then, carefully lock your network from the outside world to avoid security holes that can be initiated by BYOD and actively monitor devices connected to your network and their activity.

One tip to protect your phone when using a public USB charging socket

TL;DR: Never trust a public USB socket.  If you are forced to use one, use a power-only USB cable. There’s a catch though – you’ll read more in the last paragraph.

Imagine yourself running late for a plane on a busy Monday morning. Keys – check, suitcase – check, passport and tickets – check. To make matters worse, slightly upset by the grumpy taxi driver and length of the bag drop queue at the terminal, you find yourself staring at the red battery symbol on the dimmed smartphone screen.

Luckily, you come across one of those mobile charging stations and minutes later you’re all set for boarding.

Beware, as you might have just taken an unwanted passenger on-board with you!

USB malware

Unfortunately, using USB sockets that you don’t trust creates a huge security risk and deciding which ones you should trust is a non-trivial job to say the least! There are types of attacks that can be carried out the moment you plug the smartphone in the socket without Android/iOS even noticing.

They work in a variety of ways. Some of them interact directly with the operating system, for example during the enumeration of USB devices when the system boots up. Another type of attack abuses the DFU (Device Firmware Update) feature of the USB protocol that lets another device update the firmware of the USB device. Yet another one creates a partition in Flash memory of the USB chip to exfiltrate sensitive data flowing through the port later. If the above reasons were not enough, there is always a possibility of using the smartphone as a transient host for malware destined for other platforms, stealing data from inside the corporate network as soon as the infected device is plugged into a PC.

Three main risks of these attacks are:

  1. data theft from the smartphone,
  2. compromise of the internal company network,
  3. unwanted device tracking.

While the risk of data theft is definitely the most pronounced and impactful, point number two, infiltration of internal network, follows closely. One study at a “large university campus” shows that users pick up and connect an estimated 45%-98% of the USB pen-drives the researchers dropped. Admittedly, this article is about USB drives, but for all intents and purposes, a smartphone that has once been plugged into an untrusted USB port might as well be treated as a USB “trojan horse” that could open a back door to your company’s network.

We won’t go into any details of how it can be carried out, but if you’re interested, take a look at the list of 29 types of USB attacks.

The remedy

The easiest thing to do to save you most of the headaches related to that if you ever run into such a situation is to use a charge-only usb cable. They are available from major retailers and are dirt cheap.

There is one caveat though – fast charging will most likely not work when a cable without data lines (D+ and D- in the USB 2.0 pinout) is used. This is due to the fact that in order to make use of the fast charging mechanism, the smartphone has to be able to communicate with the charger’s firmware. Some cable manufacturers claim that they sell products, like this one from PortaPow, that can preserve fast charging by being “hardwired with the Fast-Charge USB signal”, at the same time only saying that “this will most likely solve the problem”. We have not tested any of them though. If you have, share your experience in a comment!

Losing fast charging capability may seem like throwing the baby out with the bathwater these days, but losing data or having them stolen is likely to cost much more than the time you spend waiting.