Blog: How-Tos

Can you really wipe a mobile device remotely?

Ken Munro 20 Feb 2014

I often talk to IT managers in businesses that have allowed users to connect personal mobiles to Exchange or other business email systems. I see it with corporate mobiles too.

Sometimes the user may be asked to sign a usage policy, which includes the right to remotely wipe the device if lost or stolen. Hence, corporate data cached on the mobile doesn’t get exposed.

Sounds pretty secure, doesn’t it.

There are a few problems with this though:

First, as a result of tracking technologies such as ‘Find my iPhone’ thieves are already using RF shielded forensic bags to stop any GSM or Wi-Fi signals being received by it. That stops the police tracking the phone, but also means that you can’t wipe it remotely.

Hopefully the thief just wants to sell the phone after wiping it, but what if they’re more interested in the data on it, or have stolen it to order?

If we are asked to seize a phone as part of a legitimate forensic investigation, it immediately goes in an RF shielded bag. When starting to work on it, we un-bag it in a Faraday cage in the office. No phone or data signal, no ability to wipe it.

rf-bag

An RF shielded bag

Some policies force a remote wipe automatically if the device hasn’t ‘checked in’ for a while. Great idea, but if the ‘check in’ timespan is longer than it takes for the PIN to be cracked, then you have a problem. My next point is very relevant to this:

Second, many businesses enforce policy on the device using Exchange or an MDM product. If it’s just an enforced policy, then PIN length becomes very important for security, as does the hardware and software version of the phone.

I’ve talked about this before, but upping the PIN length to 6 or 8 digits can make a huge difference. If you can slow down a PIN crack long enough for the user to report the theft, lock the domain account and manage the incident, you have a chance. Older phone hardware (e.g. < iPhone 4S) and older operating system software versions can render even longer PINs useless.

Think carefully about which phone hardware and software versions you allow to connect to Exchange or your MDM.

Third, what if the mobile user jailbreaks their phone? This can present a major security issue, as the mobile device security can be almost completely removed by the user, often unintentionally, just because they want to install cracked apps for free. Jailbreak frameworks have tools available (e.g. xCon) to prevent you detecting that the device has been jailbroken.

Fourth, you might think that by changing the users domain credentials and connecting to their replacement phone, that you’ve closed the incident. In the case of Android, having cracked the phone PIN, one might load an app containing malware to the Google Play store, then install it to the phone. It syncs with Google Play, the user configures and re-syncs their new phone, and the malware now installs on to their new phone. A persistent attack…

Don’t connect any mobile devices to Exchange without giving really serious thought to the risks. Senior execs can apply a lot of pressure to make it happen, yet often have the most sensitive data in their mail accounts.

Without sucking eggs, I don’t recommend you say ‘no’ – say ‘yes, if we manage the risks properly’ then explain the risks and potential solutions.

I’m often asked to explain the risks of mobile devices at board level. If you need a hand making the case for secure use of mobiles, do drop me a line.