Security and policy surrounding bring your own devices (BYOD)

As the proliferation of devices continues to capture the imagination of consumers, and has ignited what is referred to as bring your own device (BYOD) revolution, many IT departments across the globe are now facing increased security considerations. While organizations encourage BYOD for cost savings and productivity, it is also important to have robust security policies supporting BYOD.

Last week, several media reports surfaced of an attack on the European Parliament in which some members allegedly had their email unlawfully accessed. Initial media speculations inaccurately implied that the attack used a vulnerability in Microsoft’s Exchange ActiveSync. While details and specifics of this attack unfold, based on our initial assessment, we have determined this is not a vulnerability in the ActiveSync protocol; the issue is how third party devices handle authentication of certificates.  

This type of attack has been previously discussed at the Black Hat 2012 Conference. Enhancements to newer versions of Windows Phone block this type of attack automatically. In fact, Microsoft’s implementation of Exchange ActiveSync on Windows Phone regularly protects customers from this type of attack, as it does not allow a malicious certificate to be trusted by the device. 

Third party software developers license, and can modify, Exchange ActiveSync from Microsoft to ensure that customers can receive their email on any device. Third party developers are responsible for ensuring that their implementation of the Exchange ActiveSync protocol is secure. That said, there are also ways in which customers can help protect themselves from similar types of attacks:

  • Become familiar with “Understanding security for Exchange ActiveSync
  • Configure Exchange ActiveSync to use a trusted certificate
  • Set restrictions based on device model and device type to only allow well-implemented clients
  • Clearly define policy to ensure devices support the security functionality required and only use devices that do not accept automatic or prompted certificate renewal

We strongly encourage all customers evaluating a BYOD business strategy to ensure they fully understand the various security features and capabilities of the devices that are brought into their organization. 

Matt Thomlinson
General Manager
Trustworthy Computing Security