- August 11, 2016
- Posted by: Kerry Tomlinson, Archer News
- Categories: Blog, Cyberattack, Data Breach, Financial Sector Security, Health Care Security, Industrial Control System Security, Mobile Devices, Power Grid, Security Management
Using your personal phone at work can let the bad guys into places you really don’t want them to go, cybersecurity experts say.
As he was signing documents for his new bank account, Patrick C. Miller noticed something alarming on the banker’s desk.
The man’s Samsung Galaxy phone was plugged into his bank computer, charging through a USB cable.
That’s a risky move, said Miller, a cybersecurity consultant at Archer Security Group. Malicious hackers could use security flaws in phone apps—or the phone itself—to run some parts of the banker’s computer without his knowledge.
“It effectively creates a cellular access point,” said Miller. “This creates a potential for them to get a command-and-control channel through your phone.”
“It’s like picking up a strange USB stick in the parking lot and sticking it into your computer,” he said. “You don’t know where it’s been or who’s been touching it. You might as well lick a doorknob.”
This is just one of many problems with BYOD—Bring Your Own Device—at work. Cybersecurity experts are warning companies—and employees—that mixing personal phones with business systems can be dangerous.
The result could be, in some cases, catastrophic. A national cybersecurity group cautioned that workers using their own phones, tablets and laptops—or using work computers for personal stuff—could threaten critical systems that run water, power and industrial plants.
“Use of BYODs to access personal email, web pages, and social media applications, are inherently high risk to ICS [industrial control systems],” the Industrial Control Systems Computer Emergency Response Team report said.
Industrial control systems are the invisible lifeblood of your world—the computers that make your cars, your electricity, your water, and more.
Now, in 2016, you might be hard-pressed to find a workplace place where people don’t use their own phones at some point during the day.
“BYOD can be a great convenience for both employees and employers,” said Jim Feely with Archer Security Group. “Employees can do work on a personal device that they would normally have anyway. Employers don’t have to buy or maintain the device. It seems like a win-win.”
But employees and businesses need to manage how they use personal devices in a way to prevent big security risks, according to Feely.
Bring Your Own Danger
You might think the biggest risk is getting caught playing Pokemon Go in your afternoon meeting.
But you might not have to even play a game at work to cause disaster. The app itself could leave a hole wide enough for a malicious hacker to walk right through.
“Mobile apps have a history of not being secure,” said Miller. “They’re not well-tested, they’re often rolled out very quickly. They often leak all kinds of data.”
If you download fun apps on your phone, then plug your phone in to your work computer or use it for work, it could be like handing over your keys to thieves.
What do they want?
What will the bad guys do once inside your phone and/or your work system?
They may go for company secrets or customer data to sell on the black market.
They may also go for your contacts—who you communicate with, and how often. Then, they can prepare a social engineering attack against you or someone else you know, sending out an e-mail that looks like it’s from your boss or you best friend, but is not. Click on the e-mail, and they can download malware on your device and burrow deep into the system.
If malicious hackers take over your computer or your company system, that’s not good. You could lose your job, the company could go out of business. But no one dies, right?
Unfortunately, the risk is there—now that big equipment is connected to networks.
“It does bring the potential for catastrophic damage to industrial equipment,” said Miller. And to the people near that industrial equipment, or who depend on it to live.
Some workers at power, water and gas plants control the industrial machines remotely through their phones, tablets and laptops over the Internet.
They can choose from a number of apps to help. But even those apps may be insecure, too.
“Unfortunately, those apps aren’t generally built with a solid understanding of cybersecurity practices or the weaknesses of the systems they’re connecting to,” said Kara Turner, a critical infrastructure analyst with FireEye iSIGHT Intelligence.
Some apps make it too easy for an attacker to get in, she said, and developers aren’t always checking to see if the apps are shipshape, or filled with security holes.
“Some don’t require sufficient authentication, some allow interaction with other executables, but most importantly, most third-party ICS/SCADA [industrial control systems/supervisory control and data acquisition—used for running equipment] applications aren’t tested for vulnerabilities or weaknesses prior to release,” Turner explained.
Still, more and more employees are using these apps, especially at smaller operations without strict software policies or security training, she said.
“If you have an employee checking their e-mail, downloading games that could contain malware, and operating control systems all on the same device, you’re going to have some security issues, there’s no way around that,” Turner said.
An ‘infected’ phone could turn your personal device into a workplace weapon in other ways, too. It can flood the network with traffic, said Turner—so much that the system can’t bear the weight.
That can mean work headaches, money lost, and in some cases—power plants grinding to a halt.
“ICS networks can easily be overwhelmed by network traffic and essentially shut down,” said Turner.
“Old worms that everything else is immune to these days can shut down an ICS network, like the Gundremmingen plant in Frankfurt was forced to by Conficker/Ramnit in April,” she added.
It may be time to take a closer look at what you’re doing with your phone at work.
Do you have a passcode on your device?
“A lot of people, for example, don’t put passcodes on their phones,” said Feely. “What do you think could happen if Joe was using his personal mobile phone to monitor a critical system, and lost his phone? It might provide anyone who finds the phone access to that system.”
Do you charge your personal phone by plugging it in to your work computer with a USB cable?
Plug it into an electric outlet instead, said Miller.
Do you download a lot of apps?
Stick to well-known apps, rather than secondary, copycat or “cheat” apps that piggyback on big-name games like Pokemon Go and Angry Birds, said Miller.
New BYOD rules
Managers need to come up with or refine the company’s BYOD rules, according to cybersecurity experts.
“How can a business protect its data and systems on personal devices?” asked Feely. “That takes some risk analysis and a policy specifically about how business activities can be safely done.”
“It can be done if it’s done with care,” he said.
Companies may need to use special software and hardware to lower the risks, Feely said. For example, some apps will create a separate, safe space on your personal phone so you can access work data without putting it at risk.
“They are likely to find that they need special software and hardware to lower the risk of using personal devices,” Feely said. “They will also likely find that some business activities are okay to do on personal devices, but others should be prohibited.”
Some places have policies about personal devices, but don’t enforce them.
“The best way to fight it is training everyone consistently in practical application of cybersecurity, having and enforcing strict policies for what can and cannot touch your networks and systems, and requiring two-factor authentication to interact with critical systems when possible,” said Turner.
It may also take a fresh look at how those policies are working.
Miller suggested that companies give out special marked charging cables for personal devices.
“They should provide charging cables with the data pin removed,” he said. “So anybody walking the floor can quickly see if somebody’s phone or tablet or device is plugged in and will do anything more than just power.”
“You weren’t able to stop BYOD, you’re not going to be able to stop them plugging their devices into company systems,” he added. “If you can’t stop them, you have to make them aware of the risks and teach them how to do it right.”