The High Cost of Handsfree

More and more wired peripherals are connected to the office computer, yet at the same time people want to be more wireless. They want a wireless keyboard, a wireless mouse and a wireless headset. Its a little bit ironic that people accept wires for their non-work related USB devices, but they “can’t stand the clutter” when it comes to using standard keyboards and mice.
This article from DarkReading reports on the ease of interception of wireless headset technologies and how they used information gathered through that means to socially engineer themselves into a badge and desk inside a company they were hired to pentest. Not only could they listen to phone conversations with a off-the-shelf scanner, in some cases the headset remained active after a call ceased, this effectively bugged the office!
A UPI version of the article spoke to Bob Hayes, managing director of the Security Executive Council who downplayed the issue.

“There are a lot of threats that are technically possible,” he said, pointing out that monitoring telephone conversations that way without permission was a federal crime. “Why would I do that,” he asked, “when I could get the same information a dozen different ways?” For instance by going through someone’s garbage, pretext phone calling, or eavesdropping on conversations at trade shows.

It not as if this is a far fetched Hollywood style plot. Its one thing to do a risk analysis and determine its not worth taking action. Its another to just say “we’ve got bigger fish to fry”.
Jack Johnson, former chief security officer for the Department of Homeland Security and now a partner in the Washington federal practice at Price Waterhouse Coopers had a more common response. “In general when it came to new technology, “ease -of-use considerations tend to trump security.”” Its only later that the vulnerabilities are discovered. The CxO has to have the cool toys today.
One would wish that after so many years we would stop making the same mistakes. Security needs to be baked in early on. It cannot be the dismissed factor in the triad of Security – Usability – Cost.
Wireless keyboards are also an issue. In November 2007 DreamLab Technologies announced that due to weak encryption in Microsoft wireless keyboards they were able to capture and decrypt keystrokes. Would you intentionally set yourself up for wireless keystroke logging?
Now maybe I’m just jealous that my plantronics headset is from the last millennium and I’m using a standard dell USB keyboard. But it seems to me that the inherent risks in going wireless need to be addressed in any product used in the enterprise. It would be for the best if standards were followed in a company and products analyzed rather than implementing a hodgepodge of whatever is personal preference.