Sunday, August 26, 2012

Remote Wiping of Phones

Recently I came across an article on Forbes on The Fallacy Of Remote Wiping Your Phone.

The author raises four issues with remote wiping:

First: Ensuring that an entire flash memory module has been forensically erased.

Second: Rooting and jailbreaking.

Third: Remote wipe indiscriminately destroys both corporate and personal data.

Fourth: There are a number of scenarios where remote wipe can be circumvented.

Hmmm. Sounds like a real problem.

But let's look at these in the real world. I discussed this with a former co-worker who has had firsthand experience with remote wipe. The following is a recap of that discussion.

First case is FUD. Today nobody but a three letter agency could recreate files on flash storage in a phone. A presentation at Usenix FAST 11 suggested "none of the available software techniques for sanitizing individual files (from Flash-Based Solid State Drives) were effective" but didn't offer any tools or techniques for actually retrieving files.

Second is a fringe scenario, at least on non-Android platforms. Most people just don't do that. Look around at your friends. How many of them have rooted or jailbroken their phone? Ok, maybe not your friends but look around the office then.

Third can be addressed with policy before you allow a connection. Agreeing to that risk should be a part of the agreement of BYOD.

Fourth is a legitimate concern. My favorite scenario is for the miscreant to simply remove the SIM to avoid the remote wipe.

Recommendations?
  1. Only allow mobile devices that have an application that can be used to remotely wipe data and lock them. The IT department should maintain this list and be responsive in updating it.
  2. Only allow users that have written approval from their management to connect mobile devices to the corporate network. Periodically review this need.
  3. Devices that have been modified or updated to allow security to be bypassed are disallowed. These are commonly known as "rooted" or "jailbroken."
  4. Disallow storing sensitive corporate data on removable media unless encrypted.
Some of these will have to be enforced with spot audits along with recurring policy sign-offs based on the business risk.

No comments: