Perhaps this is one reason why so many security professionals are focused on controlling and, in particular, remote wiping physical endpoints. Even more surprising is the anecdotal evidence that security professionals are willing to allocate up to a third of their mobile device management (MDM) budgets to this one effort. On the surface, this seems to be a reasonable approach to protection of remote data at rest. The algorithm is simple: If confidential data on a mobile device is threatened, then nuke it.
The truth, however, is that when used as a security control, remote wiping represents a conventional way of attempting to solve a problem that is no longer conventional.
This is particularly true when – as is often the case – the mobile device is owned by the employee. Even when implemented and managed correctly (the exception – not the rule), remote wipe does not lower risk in any significant way; it obfuscates the workable processes that do function to protect remote confidential data and creates the potential for very real privacy-related litigation (When Your Company Kills Your iPhone).
MDM is not the Issue
I can imagine that if an employee at one of the 60 or so MDM companies that have popped up recently were to read the paragraph above, they might disagree with me at best or offer to pay for a hanging rope at worst. I wouldn’t blame them. However, I would argue that they are missing my point. I’m all for management of mobile devices. If a device is granted access to corporate information resources, then it needs to have user/group access and password policies enforced, it needs to be tagged, tracked, logged, backed up – all of the normal and proper asset management procedures should apply to any device, regardless of its type or location.
With this in mind, enterprise IT and IT security must leverage the increasing consumerization of mobile devices in order to maximize corporate profitability, while simultaneously protecting corporate information assets.
There is real dissonance here. MDM vendors have (naturally) taken advantage of this conflict and have, in many cases, pushed their particular solutions past those solutions’ intended design parameters – management – into security, primarily by integrating some type of remote wipe capability.
The Case Against Remote Wipe
OK. Let’s assume for a minute that remote wipe is on your checklist when you go shopping for a mobile security solution. You are looking for peace of mind when a mobile device gets lost or stolen or when an employee leaves the organization. You want to be certain that confidential corporate data on the compromised device is deleted and that access to corporate applications, hardware and data is disabled. Remote wipe gives you that assurance, right?
Nope. Not when you step back and think about it.
In this rapidly changing, virtualized, mobile world, the crucial enterprise security challenge is protecting against loss of confidential corporate data. To this end, we have a plethora of policies, processes and tools that work most of the time. If, in your security procedures, a situation arises where an administrator’s only option is to remote wipe, then it’s already too late. You can wipe the barn door (and the barn if you like) but the horse is long gone. In our field, you have just one chance to protect data.
When it’s gone, it’s gone.
MDM vendors will argue that this simply isn’t true – that the data sitting on the device can still be protected by destroying it. In a perfect world when the stars line up, they might be right. But it’s not and they rarely do.
First: Let’s start with physics. The current generation of mobile devices uses primarily NAND flash for storage, not a hard drive. Although, from a user perspective, flash appears to work like a hard drive, functionally they are quite different.
There are a number of other subtle issues with ensuring that an entire flash memory module has been forensically erased. The point here is that deleting all of the files on a flash-based device is more complicated than simply formatting the drive, since the remote wipe vendor has to integrate with a host of embedded controllers in an increasingly heterogeneous environment. Simply put – in the real world, remote wipe doesn’t work very well.
Second: Users often jailbreak, root or otherwise modify their device’s operating system. From a security standpoint, this is a double-edged sword. On the one hand, users who modify their devices in this way are often technically savvy and thus are presumably more likely to be aware of potential security-related issues. On the other hand, jailbreakers/kernel hackers contribute additional complexity to MDM in an already heterogeneous environment. And, importantly, how do we remote wipe these devices? Well, first we have to detect that a device has been modified. For most of the remote operating systems, this is either difficult or impossible since the API calls that can be queried about jailbreak status are often the first calls changed as part of the jailbreak.
Remote wipe advocates may argue, “But 95% of our mobile devices are iOS-based and Apple provides hooks for our MDM solutions.”
This was true until December of 2010 when Apple – for whatever reason - removed the jailbreak detection API. Since that time, MDM vendors have been forced to invent methods that allow them to semi-reliably detect jailbroken iOS devices. All of these methods ultimately rely upon location services for iOS validation, and none of them are foolproof. Thus, your remote wipe capability for iOS users depends upon first tracking the location of all of your users every time they switch to a new cell tower and then upon the inconsistent ability of your MDM solution to access iOS primitives (forbidden by Apple, BTW). Even if we assume that all of this works as planned, your organization will still have to deal with many users who believe (understandably) that they have the civil right not to be tracked 24x7 by their employers.
The bottom line is that remote wipe of modified mobile devices cannot be relied upon with a high degree of confidence.
Third: In general, remote wipe – when it does work - is a bludgeon. It has little or no contextual awareness and often indiscriminately destroys both corporate and personal data.
This has a number of implications. There are the obvious negative consequences of erroneous wipe and privacy concerns. To my mind, the most interesting are the potential legal consequences, as it is certain (at least in the US) that entities that push the remote wipe button will have to allocate resources to defend themselves in civil courts against at least three serious tort violations:
Invasion of Privacy by Offensive Intrusion (The defendant invades the plaintiff's solitude, seclusion, private affairs or personal concerns)
Trespass to Personal Property (The wrongful dispossession of a person's personal property)
Conversion (Generally, conversion involves a misappropriation of plaintiff's property to the use of the tortfeasor or wrongdoer
In the context or remote wipe, these are all reasonable allegations and will provide additional headaches for those who opt for this approach.
Fourth: It is trivial to war-game any number of scenarios where remote wipe can be circumvented. If we have learned anything in the practice of information security in the last twenty years, it is that as we attempt to fence users in, they will – either purposely or inadvertently – invent ingenious ways to circumvent the controls that we put in place. A recent global survey conducted by Fortinet revealed that 1 in 3 mobile device users would contravene their company’s security policy in order to use their personal device for work purposes.
"You wiped my email?" No problem. I have the content stored as a PDF or JPG image.
"You nuked my entire device?" That’s OK. I replicated all of the important stuff to Facebook, several different cloud storage providers and my home computer using Google +, Evernote, Pocket, Delicious, Direct USB, etc.
The point here is that if remote wipe is a component of n number of specific security controls, it is not difficult to imagine at least n+1 means of circumventing those controls.
In conclusion, the capability to remote wipe devices is often a checklist item when hunting for an MDM or mobile security solution. But, as outlined above, endpoints can't be trusted.They can only be authenticated. Well… they can also be lost or stolen. Most information security professionals recognize this, and they understand that, fundamentally, the integrity of an endpoint is always suspect. To that end, rational design of any data protection strategy depends upon integrating and managing a number of possibly related security controls (defense-in-depth) regardless of the state of the endpoint.
We already possess proven tools, protocols and techniques that can be used to economically manage these risks.
Some of them may not be as cool as remote wipe, but unlike remote wipe, they are technically sensible, they are economically rational, and they work.
* Thomas Porter is senior director of enterprise security at Fortinet.