Preventing BYOD Breaches
Recent news reports serve as cautionary tales of poor product design and lax physical security that indicate software, AI, and the push for digital transformation can’t solve all our of problems. As companies rush to refashion themselves for the digital age, recent news on the breakdown of Samsung’s Galaxy Fold device and the USB Killer attack remind us why businesses shouldn’t ignore the physical world as they focus on digital.
The first cautionary tale involves the immediate breakdown of the latest Samsung Galaxy Fold device following its public testing release. The nearly $2,000 Fold officially goes on sale April 26, but unfortunately for Samsung, it’s getting off to a rough start. As reviewers were testing the device, several experienced problems with the phone’s 7.3-inch foldable display.
Many reviewers removed a thin protective film to the Fold’s screen, assuming it was meant to be removed like the plastic wrapping that is often used in the packaging for new phones. However, they found that removing this layer appeared to have caused or likely contributed to the complete failure of the screens of the device. Other reviews reported the Fold’s screen to suddenly begin to bulge or crack, resulting in a broken screen.
In response to the reports of broken screens, Samsung issues the following statement: “A limited number of early Galaxy Fold samples were provided to media for review. We have received a few reports regarding the main display on the samples provided. We will throughly inspect these units in person to determine the cause of the matter.”
In press releases, Samsung has said the Fold can withstand 200,000 folds and unfolds, but clearly their testing either didn’t catch these potential flaws or the product was rushed to market in spite of them. It’s also possible the reviewers weren’t given final-release hardware, but with less than a week until launch, it is hard to believe the latter statement. The push for new technology has lead to what is looking to be poor product design.
The second cautionary tale involves a former student from The College of Saint Rose, a private school in New York. According to a report, a former student used a USB Killer device to destroy 59 computers, multiple monitors, and several computer-enhanced podiums. The college’s losses totaled more than $58,000 in hardware and staff time.
The defendant was caught due to a combination of video surveillance and his own arrogance. According to Albany’s Times Union, cameras captured footage of a man whom federal agents and college staff identified as the defendant. And according to the plea agreement, the defendant used his personal iPhone to film himself performing the attacks while making statements like “it’s dead” and “it’s gone. Boom.”
Even before ESD weapons like the USB Killer surfaced, USB ports posed a significant security risk. For decades, IT departments have balanced their convenience for transferring data and connecting peripherals, with their ability to facilitate the exfiltration of sensitive data and installation of malicious code.
Combine the inherent risks of USB drives with the propensity of people to pick up random thumb drives and stick them in the nearest computer, and you have a frustratingly hard-to-counter and dangerous security threat. Even if college IT staff had disabled the USB ports through software or a more physical manner such as glue, a determined vandal could have still have destroyed the machines through less sophisticated, but likely more detectable means, like water or a hammer. Regardless, physical security should always be the foundation for your overall IT security strategy. In the college’s case, better access controls, such as keycards for authorized personnel, may have prevented the defendant from gaining access to the machines.
Although different in their scope (product testing vs. physical security), both tales illustrate the importance of keeping an eye on how real people interact with your physical devices in the real world. A lesson we should all keep in mind.
Related posts
