The fallacy of remote wiping

The fallacy of remote wiping

Summary: Thomas Porter argues that remote wiping of mobile device should not be relied upon as a security control.

SHARE:

Guest editorial by Thomas Porter

thomas_porter_fortinet

Recently published data indicate that the average businessperson has 3.5 such mobile devices – a laptop, a tablet or netbook and one or two cellular phones. This number has doubled in three years and, in all likelihood, will continue to grow.

Perhaps this is one reason why so many security professionals are focused on controlling and, in particular, remote wiping physical endpoints. Even more surprising is the anecdotal evidence that security professionals are willing to allocate up to a third of their mobile device management (MDM) budgets to this one effort. On the surface, this seems to be a reasonable approach to protection of remote data at rest. The algorithm is simple: If confidential data on a mobile device is threatened, then nuke it.

The truth, however, is that when used as a security control, remote wiping represents a conventional way of attempting to solve a problem that is no longer conventional.

follow Ryan Naraine on twitter

This is particularly true when – as is often the case – the mobile device is owned by the employee. Even when implemented and managed correctly (the exception – not the rule), remote wipe does not lower risk in any significant way; it obfuscates the workable processes that do function to protect remote confidential data and creates the potential for very real privacy-related litigation (When Your Company Kills Your iPhone).

MDM is not the Issue

I can imagine that if an employee at one of the 60 or so MDM companies that have popped up recently were to read the paragraph above, they might disagree with me at best or offer to pay for a hanging rope at worst. I wouldn’t blame them. However, I would argue that they are missing my point. I’m all for management of mobile devices. If a device is granted access to corporate information resources, then it needs to have user/group access and password policies enforced, it needs to be tagged, tracked, logged, backed up – all of the normal and proper asset management procedures should apply to any device, regardless of its type or location.

With this in mind, enterprise IT and IT security must leverage the increasing consumerization of mobile devices in order to maximize corporate profitability, while simultaneously protecting corporate information assets.

There is real dissonance here. MDM vendors have (naturally) taken advantage of this conflict and have, in many cases, pushed their particular solutions past those solutions’ intended design parameters – management – into security, primarily by integrating some type of remote wipe capability.

The Case Against Remote Wipe

OK. Let’s assume for a minute that remote wipe is on your checklist when you go shopping for a mobile security solution. You are looking for peace of mind when a mobile device gets lost or stolen or when an employee leaves the organization. You want to be certain that confidential corporate data on the compromised device is deleted and that access to corporate applications, hardware and data is disabled. Remote wipe gives you that assurance, right?

Nope. Not when you step back and think about it.

In this rapidly changing, virtualized, mobile world, the crucial enterprise security challenge is protecting against loss of confidential corporate data. To this end, we have a plethora of policies, processes and tools that work most of the time. If, in your security procedures, a situation arises where an administrator’s only option is to remote wipe, then it’s already too late. You can wipe the barn door (and the barn if you like) but the horse is long gone. In our field, you have just one chance to protect data.

When it’s gone, it’s gone.

MDM vendors will argue that this simply isn’t true – that the data sitting on the device can still be protected by destroying it. In a perfect world when the stars line up, they might be right. But it’s not and they rarely do.

First: Let’s start with physics. The current generation of mobile devices uses primarily NAND flash for storage, not a hard drive. Although, from a user perspective, flash appears to work like a hard drive, functionally they are quite different.

There are a number of other subtle issues with ensuring that an entire flash memory module has been forensically erased. The point here is that deleting all of the files on a flash-based device is more complicated than simply formatting the drive, since the remote wipe vendor has to integrate with a host of embedded controllers in an increasingly heterogeneous environment. Simply put – in the real world, remote wipe doesn’t work very well.

Second: Users often jailbreak, root or otherwise modify their device’s operating system. From a security standpoint, this is a double-edged sword. On the one hand, users who modify their devices in this way are often technically savvy and thus are presumably more likely to be aware of potential security-related issues. On the other hand, jailbreakers/kernel hackers contribute additional complexity to MDM in an already heterogeneous environment. And, importantly, how do we remote wipe these devices? Well, first we have to detect that a device has been modified. For most of the remote operating systems, this is either difficult or impossible since the API calls that can be queried about jailbreak status are often the first calls changed as part of the jailbreak.

Remote wipe advocates may argue, “But 95% of our mobile devices are iOS-based and Apple provides hooks for our MDM solutions.”

This was true until December of 2010 when Apple – for whatever reason - removed the jailbreak detection API. Since that time, MDM vendors have been forced to invent methods that allow them to semi-reliably detect jailbroken iOS devices. All of these methods ultimately rely upon location services for iOS validation, and none of them are foolproof. Thus, your remote wipe capability for iOS users depends upon first tracking the location of all of your users every time they switch to a new cell tower and then upon the inconsistent ability of your MDM solution to access iOS primitives (forbidden by Apple, BTW). Even if we assume that all of this works as planned, your organization will still have to deal with many users who believe (understandably) that they have the civil right not to be tracked 24x7 by their employers.

The bottom line is that remote wipe of modified mobile devices cannot be relied upon with a high degree of confidence.

Third: In general, remote wipe – when it does work - is a bludgeon. It has little or no contextual awareness and often indiscriminately destroys both corporate and personal data.

This has a number of implications. There are the obvious negative consequences of erroneous wipe and privacy concerns. To my mind, the most interesting are the potential legal consequences, as it is certain (at least in the US) that entities that push the remote wipe button will have to allocate resources to defend themselves in civil courts against at least three serious tort violations:

  • Invasion of Privacy by Offensive Intrusion (The defendant invades the plaintiff's solitude, seclusion, private affairs or personal concerns)
  • Trespass to Personal Property (The wrongful dispossession of a person's personal property)
  • Conversion (Generally, conversion involves a misappropriation of plaintiff's property to the use of the tortfeasor or wrongdoer

In the context or remote wipe, these are all reasonable allegations and will provide additional headaches for those who opt for this approach.

Fourth: It is trivial to war-game any number of scenarios where remote wipe can be circumvented. If we have learned anything in the practice of information security in the last twenty years, it is that as we attempt to fence users in, they will – either purposely or inadvertently – invent ingenious ways to circumvent the controls that we put in place. A recent global survey conducted by Fortinet revealed that 1 in 3 mobile device users would contravene their company’s security policy in order to use their personal device for work purposes.

"You wiped my email?" No problem. I have the content stored as a PDF or JPG image.

"You nuked my entire device?" That’s OK. I replicated all of the important stuff to Facebook, several different cloud storage providers and my home computer using Google +, Evernote, Pocket, Delicious, Direct USB, etc.

The point here is that if remote wipe is a component of n number of specific security controls, it is not difficult to imagine at least n+1 means of circumventing those controls.

In conclusion, the capability to remote wipe devices is often a checklist item when hunting for an MDM or mobile security solution. But, as outlined above, endpoints can't be trusted.They can only be authenticated. Well… they can also be lost or stolen. Most information security professionals recognize this, and they understand that, fundamentally, the integrity of an endpoint is always suspect. To that end, rational design of any data protection strategy depends upon integrating and managing a number of possibly related security controls (defense-in-depth) regardless of the state of the endpoint.

We already possess proven tools, protocols and techniques that can be used to economically manage these risks.

Some of them may not be as cool as remote wipe, but unlike remote wipe, they are technically sensible, they are economically rational, and they work.

* Thomas Porter is senior director of enterprise security at Fortinet.

Topics: Security, Android, iPhone, Mobile OS, BlackBerry

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion
  • Remote Wiping

    What if the device is not connected to the internet or has access to a cell signal? Isn't it possible a wipe might never occur or it might take place after the information has been copied to another location.
    quadwind
  • Talk about a worthless read, Thomas Porter...

    By your logic, we shouldn't bother with security at all, it can all be circumvented... Your worthless rant can be twisted into an excuse (for those that like to lie to themselves) to do nothing at all about anything and everything... Perhaps you shouldn't mow the lawn because the grass is just going to grow back... Remote wipe is just an extra tool in a bucket of many. Accounts can be disabled, employees can sign company policy guidelines that tell them jailbreaking/rooting is strictly forbidden, etc. Your perspective is so narrow and retentive that it is automatically void and null... By your logic we shouldn't let any employees nor ourselves even step out of the door... Heck, we better not even leave our homes... BABIES!!! STAY IN THE WOMB!!!DO NOT ALLOW YOURSELVES TO BE BORN!!!

    Get a clue and buy a vowel Thomas Porter, the world is a much better place when you live in the real world... And in the real world, no one but a fool would assume that anyone in the IT world would rely on remote wipe as their only means of mobile security.
    i8thecat4
    • Company can set policy if they buy the device

      The focus of the article is on BYOD. If the company buys the device then the company can set the policy. To expect the employee to "sign company policy guidelines that tell them jailbreaking/rooting is strictly forbidden"on a device they paid for is absurd. Sorry, my "company" cell phone is a Nokia 3210 on a voice-only plan. If the company wants me to receive email on the phone they will have to upgrade the phone and calling plan. Development is done on my personal laptop, ad backed up on at least 3 different external drives. No, you cannot install anything on it. If the company wants to control the device, The company will have to buy it.
      john-whorfin
      • What rock do you live under???

        If a company wants to set policy on a BYOD device, they can... An employee doesn't have to bring their own device. But if they do and they want to use it as a BYOD device, there can be policy rules that apply to it. This is a no brainer in any state in the US. Crawl out from under your rock and take a deep breath.
        i8thecat4
      • How does policy compliance change...

        Whether it's personal or company issued?

        "If the company buys the device then the company can set the policy. To expect the employee to "sign company policy guidelines that tell them jailbreaking/rooting is strictly forbidden"on a device they paid for is absurd."

        If an employee signs a policy to get company resources on their personal device, they're no more/less likely to break policy than if the phone was company issued. The key word is "if". That's a personal decision, and many have chosen to do so already, so I doubt those felt it absurd.

        Employees have been violating policy since long before the term BYOD ever existed. In fact, if your company has decent policies, you're probably breaking policy, based on your comment.
        TroyMcClure
    • Why would you EVER have security when

      a user can just write information on a piece of paper and take it home. Everything is insecure given these extreme cases.

      I agree, this is a worthless article.
      mlewis@...
    • Thanks for your reply

      However, it's clear that you have completely missed the point of this article. In the context of BYOD, my argument is that while many security admins are using or planning to use remote wipe as the major weapon in their arsenal of security tools; the best practice is to use *all* of the tools & processes at our disposal, & that remote wipe is a new, not particularly good one.

      To restate from the article: "Most information security professionals recognize this, and they understand that, fundamentally, the integrity of an endpoint is always suspect. To that end, rational design of any data protection strategy depends upon integrating and managing a number of possibly related security controls (defense-in-depth) regardless of the state of the endpoint."

      As a sidenote: having been in this field for > 20 years, I've come to realize that rationally responding to posts such as yours that include: (1) personal attacks, & (2) lots of comment in CAP's, has an extremely low probability of generating any kind of reasonable dialog.
      Thomas Porter, Ph.D.
      • I'd disagree with...

        "many security admins are using or planning to use remote wipe as the major weapon"

        Most of the best practices I've read from mobile "experts", the MDM companies themselves and real world implementations leverage multiple layers of security, and the remote wipe is usually a last defense. Most of what I see leverage some degree of password/PIN, encryption, remote wipe (ideally selective), among others, depending on how exactly your mobile devices are being used for company business.

        Some like GfE even "containerize" company data, not allowing it to pass through to other apps on the device.

        If all those other controls adequately configured and working properly, remote wipe is just an peace of mind and certainly not the centerpiece of a mobile device security strategy. Quite honestly, I view it as the one that is going to be leveraged the least on a day-to-day basis.
        TroyMcClure
      • LOL... Hello Kettle aka Doctor Thom-ass Porter

        "As a sidenote: having been in this field for > 20 years, I've come to realize that rationally responding to posts such as yours that include: (1) personal attacks, & (2) lots of comment in CAP's, has an extremely low probability of generating any kind of reasonable dialog."

        Does you Ph.D. allow you to see the hypocracy of your own arrogance Doctor??? It didn't stop you from moronic assumptions like assuming that anyone in the IT world would rely on remote wipe as their only means of mobile security and having the arrogance to write a moronic self-important blog about such an idioc assumption.

        As a side note I already knew that pointing out the painfully obvious to an moronic meglomaniac had an extremely low probability of generating any kind of reasonable response. I would thank you for confirming that, but I wouldn't want you to confuse it with sincere gratitude and get an even bigger head than you already have... LOL.. I KNOW.. NOT POSSIBLE!!! RIGHT DOCTOR?
        i8thecat4
        • @i8thecat4

          Actually YOU are the arrogant one. Anyway I have spoken to a few people and they believe that remote wipe is the alpha and the omega of mobile security. What the article was about, is to change exactly this kind of thinking.

          You don't think like that? Good for you. But remember what assumption is. Just because YOU don't think remote wipe is the only solution doesn't mean everyone does.

          I agree with you that remote wipe should be an extra tool in the arsenal, not the only one. However not everyone thinks that way, and this article is aimed at educating THOSE people.

          As a side note, your reply can also be seen as "the hypocracy of your own arrogance" and you are seeming more like the "megalomaniac" than the author of this article. AND the last response also makes you look like a 5 year old throwing a temper tantrum.

          my 2c
          IceQ
        • @i8thecat4

          It is disappointing that though u seem learned but u r not wise. A simple article that was written to enlighten d general public, u made it so personal. If you know so much, pick up your pen an write your own article...why become chief critic?

          Honestly, i assume you have a stressed condition to make those comments...But my friend that is most uncivil.
          Gideon Adebayo
    • Re: "By your logic, we shouldn't bother with security at all..."

      "...it can all be circumvented"

      Remind me never to hire you for any job description with the word "security" in it.
      ldo17
    • Talk about missing the point

      Re-read the article--slowly, if it helps. It didn't seem to me that he was recommending against protecting your data or devices. Seemed like he was saying that one particular method shouldn't be relied upon to keep your data/devices secure.

      You sure went off the deep end, though. It was entertaining for a minute. Bravo.
      ReginaPhalange
    • Remote wiping

      Good comments, but I would ask you to be a little less rude.
      There is no need or point in being insulting.
      drjsmithson
  • Stick to the Blackberry with the magic wheel then

    I can wipe my Android phones and lose nothing of consequence. Moreover my phone has a password on purpose to keep people out. I have three exchange accounts along with a host of other cloud services on it. Yes my phone is rooted but I don't want any of my data falling into someone else's hands. Neither would anyone else, IT personnel or just average employee or person. Yes someone can steal, but there are too many ways to steal an address book as you say.
    Unless you are hosting top secret info, no one is going to bother disassembling the phone to get at the flash. The danger with remote wipe is storing sensitive data on the sd card unencrypted. That is rarely wiped and phone passwords are useless if you lose the phone.
    LarsDennert
  • Um

    it's my device, you as my employer do not have any business being anywhere near it. Want me to use a mobile device but me pay for it then you are not going to put anything on it. You pay for it then you can control it, I pay for it I control it.
    You want to change that well then pony up or get lost.
    sysop-dr
    • Actually....

      If you use YOUR device on THEIR network, and use YOUR device to manipulate THEIR data, then they have every right to wipe your device if it's compromised. That part of the risks of BYOD and one of the reasons I would never use a personal device at work. If they want me to have one, they can buy it for me.

      On the flip side of this data wipe thing, you have the companies that screw up and wipe huge amounts of devices accidentally. Thomson-Reuters recently tried to wipe a single user's stolen device, screwed it up, and ended up wiping **2100** devices before they figured out what happened. Ooops...... Another reason I'd never bring my personal devices to work.
      Zorched
  • Misuse of the capability...

    ...let's not forget the possibility of hackers, corporate competitors, etc., finding a way to signal our companies devices and tell them to remote wipe. I can see it...I'm in the middle of a demo with potential clients, and the signal is received. Boom. Presentation halted, machine locked, data erasing....

    But I'm sure that could never happen.
    Techboy_z
    • How's that different than...

      having any type of remote access? A hacker could get access to your RDP, Citrix, etc., remote in to your network and do far worse than kill a presentation midstream. Should we throw out all remote access as well?

      Security is often competing with productivity. Give IT free reign to do what they want and most could create an environment that's very difficult to breach. Then go talk to users about how much productivity is lost because they no longer have access to features that improve productivity but at the same time increase risk. Each org has to settle on what security "posture" best mitigates their risks while at the same time allows business to be conducted.
      TroyMcClure
  • another episode of the Jerry Springer show

    Personally, I found this an interesting article. We were discussing exactly this topic here at work last week. I'm a bit dumbfounded by the rabid attacks though. Did I accidently hit the Jerry Springer website instead of a website supporting It Professionals?
    dgoodale