When secure facilities say “no devices allowed,” that’s not necessarily the case.
Exceptions are being granted for personal medical devices, health monitors and other operation-associated devices, especially in defense areas where human performance monitoring devices can be core to the mission.
The problem: most of these devices have radio frequency (RF) communication interfaces such as Bluetooth, Bluetooth Low Energy (BLE), Wi-Fi, Cellular, IoT or proprietary protocols that can make them vulnerable to RF attacks, which by their nature are “remote attacks” from beyond the building’s physical perimeters.
Questions are now being asked about the ability to allow some devices in some areas, some of the time, resulting in the need for stratified policy and sophisticated technology which can accurately distinguish between approved and unapproved electronic devices in secure areas.
The invisible dangers of RF devices
RF-enabled devices are prevalent in the enterprise. According to Ericsson’s Internet of Things Forecast, there are 22 billion connected devices and 15 billions of these devices have radios. Furthermore, as the avalanche of IoT devices grows, cyber threats will become increasingly common.
Wireless devices in the enterprise today include light bulbs, headsets, building control systems, and HVAC systems. Increasingly vulnerable and risky are wearables. Wearables with data exfiltrating capabilities include Fitbits, smartwatches and other personal devices with embedded radios and variety of audio/video capture, pairing and transmission capabilities.
Understanding the current policy device landscape
The RF environment has become increasingly complicated over the past five years because more and more devices have RF interfaces that can’t be disabled. Secure facilities with very strict RF device policies are making exceptions to the “No Device Policy” into a more stratified approach: “Some Device Policy.” Examples of a stratified policy are whitelisting devices with RF interfaces such as medical wearables, Fitbits and vending machines. Some companies are geofencing certain areas in facilities, such as Sensitive Compartmented Information Facility (SCIFs) in defense facilities.
Current policies are outdated
While some government and commercial buildings have secure areas where no cell phones or other RF-emitting devices are allowed, detecting and locating radio-enabled devices is largely based on the honor system or one-time scans for devices. Bad actors do not follow the honor system and one-time scans are just that: one time and cannot monitor 24×7.
Benefits of implementing RF device security policy
In a world where security teams need to detect and locate unauthorized cellular, Bluetooth, BLE, Wi-Fi and IoT devices, there are solutions available and subsequent benefits to enforcing device security policies: ..[…] Read more »…