September 5, 2012

Is 'Remote Wipe' a Panacea for Protecting Missing Devices?

One reassuring security component of most mobile device management (MDM) systems is the ability to remotely wipe data stored on a smart phone or tablet - or at least block access to the data - using a simple over-the-air command.

This could be critical, for example, if sensitive company data resides on any of the 60 to 70 million mobile devices that go missing each year in the United States. Or if it was stored on any of the 67,000 smart phones - collectively carrying 214.4 terabytes of corporate data - that security company Venafi estimates were lost or stolen in London during the recent Olympic Games.

Some see over-the-air capabilities as a cure-all checklist item that eliminates any security problems that arise when devices disappear. But this remote function, useful as it is, is alone far from foolproof.

Practically Speaking

First off, what if it takes awhile to discover that the device is missing and report the loss to IT, particularly if the number you need to call to make the report is in the missing device's directory? The time window gives thieves a chance to view the data.

But the big gotcha is that in order to receive a remote wipe or block command from your IT department, the device needs to be connected to a network.

"What if a thief turns off the phone and removes the battery so the device can't be traced?" challenges David Schofield, a partner at telecom consultancy Network Sourcing Advisors in Atlanta. The person can move to a non-coverage area, "such as a cement basement, where signals can't penetrate, put the battery back in and download the data undetected," he points out. In such conditions, the "wipe" command can't be received.

"This is the 800-pound gorilla in the room that the MDM vendors don't want to talk about,"  Schofield says. "Unless you're using [virtual desktop infrastructure (VDI)], where devices don't store data locally, remote wipe is pretty much worthless."

Several MDM vendors, it turns out, were indeed willing to talk about this issue. They acknowledged that the network connectivity requirement made remote wipe/lock less than a panacea, while one also pointed to device-side capabilities it has built into its MDM client software to circumvent it.

Strengths and Shortcomings

If you're using Smith Micro MDM software, for example, not knowing where to report a lost or stolen device is a minor issue thanks to user self-service capabilities, according to Carla Fitzgerald, vice president of marketing.
"Our MDM solution has a Web portal that knows your [device's] whole configuration profile," she explains. So users missing their mobile phones can access the portal from any other connected device and, "wipe the device or log a ticket for wiping it and order a new device."

To cover situations when devices are inaccessible to the network, they can be programmed so that the next time they are turned on, they "ping the server, and the server says, 'You're on my hot list to be wiped,'" Fitzgerald explains.

There's still that delay time, however, when shenanigans cannot be controlled. And Fitzgerald acknowledges, "Without coverage, there are no remote features you can apply at all."

Carl Rodrigues, president of MDM company SOTI Inc., however, says his company's system has device-side policies "that do not need to contact the [MDM] server to take automatic action."  In other words, you can pre-program actions for the device to take on its own during certain circumstances.

MITapeSelfDestruct.jpgFor example, the SOTI system supports out-of-contact policies; you can configure the device to wipe its data if it has been out of network contact for a period of time you specify. Think of the capability as somewhat analogous to Mr. Phelps' Mission: Impossible instruction tapes, which are pre-programmed to self-destruct in 5 seconds.

SOTI also supports geofence policies whereby the device wipes its data if it  moves outside of defined physical boundaries, such as a highly secure naval base station or other government entity. The system can also program devices to automatically wipe data if a password has been entered incorrectly a certain number of times that's configurable by the enterprise.

When informed about these capabilities, Schofield commented: "That's a step that I like."

What About On-Device Encryption?

Many MDM systems and even some individual devices, such as Samsung Galaxy Android-based smart phones, support strong (FIPS 140-2-certified) on-device encryption. "So even if [thieves] physically crack open the device, take out the chips that hold the data and put the chips into special memory readers, all the data will be scrambled," Rodrigues says.

Both Smith Micro's Fitzgerald and Ojas Rege, vice president of strategy at MDM company MobileIron, though, advise that enterprises balance usability with security. How you do so depends on your company's security profile. Fitzgerald and Rege agree that too much protection impedes the user experience so much that it is really only worth it in the most sensitive situations, such as in the defense industry. Defense organizations can justify layering on encryption and multiple authentication methods, Rege says.

"Comparatively, there's so little data [on user devices] compared to the crown jewels on the server, that most of the [data loss] risk is on the server side," he adds.

This TechNote is brought to you in part due to the generous support of:


Another solution attribute could be to not allow access to phone-internal data if its not connected to a network or if its out of network coverage area.

Beware that what a remote wipe accomplishes can depend on the OS/version and device make/model. Unless the vendor provides otherwise (e.g., Samsung SAFE), an Android wipe just resets the device to factory defaults, leaving the files stored on the SD card (if any) intact. Wiping a newer iPhone or iPad over-writes the crypto keys required to decrypt flash memory. Contemporary BlackBerry phones support a memory scrub option which deters forensic analysis of bits left behind after a wipe. And so forth.

Regarding auto-wipe, just about every mobile OS supports wipe-on-login-failure. Some devices support auto-wipe when a SIM card is removed. Awhile back, Sybase patented a "data fading" option to auto-wipe data ofter a combination of events like login failures OR long time since server contact OR SIM removed. Like the SOTI geofencing that you cited, these automated mechanisms are a good complement to on-demand remote wipe, in the event that a request can't be performed for any reason (no connectivity, agent removed, device reset).

However, remote wipe isn't a substitute for stored data encryption or not storing data on the device in the first place. IMO, remote wipe provides damage control, not data breach prevention.

Search Webtorials

Get E-News and Notices via Email




I accept Webtorials' Terms and Conditions.

Trending Discussions

See more discussions...

Featured Sponsor Microsites



Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Continuing past this point indicates your acceptance of our terms of use as specified at Terms of Use.

Webtorial® is a registered servicemark of Distributed Networking Associates. The Webtorial logo is a servicemark of Distributed Networking Associates. Copyright 1999-2018, Distributed Networking Associates, Inc.