Bring Your Own Spy – BYOD gone wrong

René Pfeiffer/ May 25, 2012/ Discussion, High Entropy, Security

It is reasonably safe to assume that anyone doing business has meetings from time to time. Meeting people and talking to them (or listening) is part of many company’s culture. What do you bring for your meeting? A computer? Maybe. Paper and pencils? Old school but why not. Your cell phone? Most probably! Unfortunately this also means that you might invite some spies to the conference.

Postcard of Mata Hari in Paris

Meet your new voice assistant.

We have already bashed described talked about the BYOD conundrum challenge. Combining the BYOD approach with information security is hard bordering on the impossible. There are some strategies out there for securing your device(s) (in this case from Software Advice, but others have check lists, too). You can also use the Might of Security Policies™ against the threat (we all know that all users follow any written policy any time). However there’s one aspect when it comes to cell phones and other devices you can talk to: they listen! This is a fundamental design feature. While most phones have a mute button, using it all of the time defeats the purpose of the specific device. This is where smart phones come in. Some of them have voice interfaces. They can be found on iOS and on Android. Your voice commands are digitalised and interpreted. In order to do this, your smart phone uses the recorded data and phones home to ask the big computing resources (did someone say cloud again?) for advice. While this is fairly useful, the process is also known as spying when viewed from a different angle. Some companies have realised this and banned Mata Siri from internal company meetings. Of course, Siri works full time for Apple, but Android has a voice interface, too. Plus there are voice interface applications all around the application stores.

When it comes to information security you have to think in all directions. If you have to implement data loss prevention or hold meetings inside your office (with closed doors), you should catch up on creative ways to subvert your shiny BYOD-procured gadgets before your adversaries do it. BTW, did you know that DeepSec 2012 is really interested in data loss prevention and ways to exfiltrate data (for educational purposes only)? If you know a way to make Mata Siri and her gang work for us/them/somebody, then let us know. The CfP is open for submissions.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.