← Back to context

Comment by wongarsu

8 days ago

Secure bluetooth requires manufacturers to get the cryptography right. Even big brands like Logitech have gotten that wrong in recent memory, allowing attackers both to decrypt what you type [1] and to inject keystrokes [2]. And these are long-lived devices, even if vulnerabilities get patched in newer devices there are still plenty of 5 year old or older mice and keyboards with outdated firmware floating around. Not to mention the possibility of 0-days known to your attacker.

Wired connections are inherently more difficult to attack. In security critical applications banning bluetooth is perfectly reasonable.

[1] https://www.youtube.com/watch?v=GRJ7i2J_Y80

[2] https://www.youtube.com/watch?v=EksyCO0DzYs

4 comments

wongarsu

Reply
prmoustache  8 days ago

Same with keyboards and mouses which use insecure usb radio receivers. This company policy doesn't really prevent that.

The best way to correctly fight Shadow IT is to provide equipment and services so good nobody would even care using something else.

  • wongarsu  8 days ago

    I'm always a proponent of just spending some money on your office equipment. Even a $90 mouse and $200 keyboard costs less than a tenth of a percent of salary of an average office worker, never mind developer (amortized over a very conservative 5 year lifespan). Give people the option to choose between 2-3 sanctioned models, throw in some vertical mice and split keyboard options and you can even brag about how much you care about your employees' health.

    Some people will always want to bring their own equipment, but a lot of it is caused by penny pinching or lack of options

    • vel0city  8 days ago

      > Give people the option to choose between 2-3 sanctioned models

      It quickly grows past the 2-3 sanctioned models. Everyone wants something not on the list, lots of bickering of "why was that model chosen?", etc. Well that pre-approved model is $150, this is only $175. Bob got that $175 model, this is only $200, it's not that much. Jenny got that $200 model, this is only $250. Jenny's got a $250 keyboard? I gotta upgrade, here's this $300 model... Wait did the company just buy Bill a 55" 4K display? I need that too...

      Suddenly your $150/person budget has exploded to replace everyone's equipment for $1,000+ otherwise it's just not fair someone else got more.

      Personally I'm fine with me buying and owning my own kb+m. Maybe give a once a year or two office hardware stipend or whatever. Then otherwise make basic stuff available for free. If you're wanting a $200 keyboard you're probably wanting a particular $200 keyboard, and it's probably not one of those 2-3 approved models.