Securing BYOD: Agent-Based Secure Entry Vulnerable

Android operating system based phones and tablets are not allowed in many enterprises, however, employees can easily fool user-agent based way of securing the entry.

"MDM can identify a device, authorize and manage it but they cannot do access control."

Android phones and tablets are not allowed in many enterprises to enter the corporate network either be it to download emails or to access files or network, as they consider Android as very vulnerable and highly malware infected. It is not untrue either as statistics shows a growth of 600 per cent in malwares specific to Android OS and with Android fragmentation issue, many old and highly vulnerable versions are still plying.

But employees are smart not to be restricted that way that easily. Just a simple Google search throws up many such instances on how to fool your portal based (user-agent based) way of securing the entry.

Here is one, which I tried on my Android phone to get into the network:

  1. Go to the native Android browser
  2. Type “about:debug” in the address bar without quotes and then press “go” button which is next to it (And not return in the keypad)
  3. Go to Menu and click “settings”
  4. Click “debug”
  5. Click “UA string”
  6. Click whichever device you want to pretend to

I get these choices on my HTC One X:

Android
Desktop
iPhone
iPad
Froyo-n1
Honeycomb-xoom
Manual

I chose iPhone and I now not only got into the network but also when I browse any website, the network thinks that I am doing it from an iPhone and show ads which are specific to iOS. You can easily fool user-agent based fingerprinting and security setups (which most use today in the market) and can get into the network and can do whatever your device was originally not allowed to do so and without leaving a clue to the IT. This is what happens if you use user-agent to determine and fingerprint the device, which most tools do today in the market.

When a device connects to a network and tries to browse something, the browser sends out a packet of information identifying itself and the device, in which it sends out mostly the browser name, OS name and versions and sometimes device name (iPhone, iPad or a Blackberry etc) and based on this signature most solutions detect the device. Unfortunately the information is incomplete, inconsistent, and sent in no standard format for fields and depends many a times by the kind of the browser to the development tool kit used for the browser etc., and worse of all as I showed, can be easily faked and spoofed – not a foolproof secure way of identifying the device and anyone with basic knowledge of handling a smart phone can fool the system. 

This is where i7’s PeregrineGuard distinguishes itself. It uses advanced sophisticated US patent-pending triangulated finger printing algorithm to determine precisely what device it is, what class it is, type, OS, version and lot more information of the device in an enterprise environment. Interestingly, all done without putting an agent on the device what is called zero-footprint on the device – a complete agentless and non-intrusive way of discovering, fingerprinting, profiling and access controlling the device. 

The point is, it is going to be very tough to manage security with respect to BYOD and you really need a specialized tool and any tweaking of the existing tools & solutions to the new BYOD era (irrespective of whether you allow or not the BYODs in your system) is going it make it more vulnerable!

Written by Manjunath M Gowda , CEO, i7 Networks.

Source


Add new comment