Why wipe a locked, encrypted mobile device?
A lost mobile device exposes both employee and employer to the risks of identity theft and breach of data. Locking a mobile device with a PIN or password can deter casual data loss, but it's not enough to prevent criminals or law enforcement from using forensic tools to dump any data stored in flash memory. For example, someone in physical possession of a lost iPhone can run F/OSS Lantern Lite (a common open source UI tool for iOS device imaging), connect to the iPhone, enter DFU mode and dump the phone's file system. From there, tools can be used to recover deleted files and crack short passcodes. Similar forensic tools exist for Android and even BlackBerry.
Remote data wipe helps manage the risk of data loss. You might think remote wipe is an easy way to remove all user files from flash memory. However, many devices support more than one kind of wipe. "Enterprise wipe" removes business applications and files installed by a mobile device manager (MDM) product, while "device wipe" removes all files without differentiating between business and personal. However, even "device wipe" may not really obliterate all files.
From factory reset to forensic destruction
To wipe iOS devices, including the iPhone, a command can be invoked locally or remotely to erase all content and settings. This actually overwrites the block storage encryption key saved in the device's effaceable storage, rendering all data stored in the encrypted file system user partition cryptographically unreadable. However, an iOS device must be reachable for mobile device management software or iCloud to invoke this action remotely. Wipe can also be auto-invoked after N passcode failures, but someone in physical possession of an iOS device that's been disconnected from the Internet can easily avoid remote wipe until flash memory has been dumped.
On Android devices, a factory data reset command can be invoked to reset all settings back to factory default, and remove all apps and associated data, along with any email and text messages and contacts stored in flash. However, flash storage is not overwritten: Any data that was not encrypted can still be forensically recovered. Furthermore, data stored on an SD card may not be removed, depending on the device make and model. If flash storage was encrypted, wipe efficacy also depends on the manufacturer's key management. Like iOS, Android also supports a "maximum failed password attempts" setting after which factory reset is invoked, but disconnected Android devices can be dumped before wipe.
On BlackBerry smartphones, users can invoke its Security Wipe function to selectively delete application data (e.g., email, contacts), user-installed applications and/or SD card contents. Administrators can remotely invoke an "erase data and disable handheld" command that removes all user data, references to encryption keys and device transport keys, and authentication information from its non-volatile or NV store protected memory, flash memory and on-device memory. When a BlackBerry is reset to factory default, references to device password hashes are also removed, along with third-party applications and associated data. On devices configured to protect (encrypt) content, a NIST-compliant memory scrub can be performed to resist forensic analysis. BlackBerry supports not only a maximum password attempts policy, but also "secure wipe delay after IT policy received," "secure wipe delay after lock" and "secure wipe if low battery." The latter help a long-lost and disconnected BlackBerry auto-wipe itself.
Going beyond remote wipe
Given this understanding of how remote data wipe works, it's easy to see that it should never be an organization's only defense against a potential data breach. Remote wipe is designed to complement other security measures, the strength of which significantly affects overall effectiveness. Supplement a well-tested, validated and documented remote wipe capability with the following tactics:
- Start with a strong password. Not locking devices leaves data vulnerable to immediate
access by strangers, but short PINs are not much better because PIN or password cracking can
facilitate forensic analysis of encrypted data dumps taken from lost devices.
- Combine passwords with full-device encryption. While device encryption may not be
entirely infallible, skipping encryption leaves a lost device wide open to file system dumping by
anyone in possession of the phone.
- Beware of data left behind after device wipe. If a worker's Android offers SD card encryption or wipe options, administratively enable them. Similarly, if workers back up their own iPhones onto laptops, configure device settings to encrypt those backup files. If workers back up data onto a consumer cloud server (iCloud, Google, etc.), realize that data won't be touched by remote wipe and will remain accessible indefinitely to anyone with the user’s cloud account.
More from Lisa Phifer on BYOD security
Read Lisa Phifer's Information Security magazine article, BYOD security strategies: Balancing BYOD risks and rewards.
Webcast: Lisa Phifer's five-step plan for securing BYODs.
- Enable remote wipe and find. An organization's administrators may use corporateMDM software to issue confirmed "enterprise wipe" commands, but employees may still be concerned about personal location privacy and loss of personal data. In such cases, suggest that workers register their devices with a consumer cloud service such as iCloud Find My iPhone or Samsung Dive. Doing so may allow them a chance to quickly locate a lost smartphone or tablet, and perhaps invoke their own device wipe when warranted. Users must enroll their devices and enable remote wipe beforehand, otherwise this last resort will not be an option.
About the author:
Lisa Phifer owns Core Competence Inc., a consulting firm specializing in business use of emerging Internet technologies. Lisa has been involved in the design, implementation and evaluation of internetworking, security and management products for 30 years.
This was first published in January 2013