BYOD security best practices for enterprises should include setting a PIN and/or password and remote data wiping. That's a given. However, the efficacy and reliability of remote-wipe capabilities varies from one mobile device to another. In this tip, let's look at what invoking a remote wipe really does on today's smartphones and tablets, and steps that IT organizations can take to increase their confidence in what is often a critical stop-loss measure.
A lost mobile device exposes both employee and employer to the risks of identity theft and breach of data. Locking a mobile device with a PIN or password can deter casual data loss, but it's not enough to prevent criminals or law enforcement from using forensic tools to dump any data stored in flash memory. For example, someone in physical possession of a lost iPhone can run F/OSS Lantern Lite (a common open source UI tool for iOS device imaging), connect to the iPhone, enter DFU mode and dump the phone's file system. From there, tools can be used to recover deleted files and crack short passcodes. Similar forensic tools exist for Android and even BlackBerry.
Remote data wipe helps manage the risk of data loss. You might think remote wipe is an easy way to remove all user files from flash memory. However, many devices support more than one kind of wipe. "Enterprise wipe" removes business applications and files installed by a mobile device manager (MDM) product, while "device wipe" removes all files without differentiating between business and personal. However, even "device wipe" may not really obliterate all files.
To wipe iOS devices, including the iPhone, a command can be invoked locally or remotely to erase all content and settings. This actually overwrites the block storage encryption key saved in the device's effaceable storage, rendering all data stored in the encrypted file system user partition cryptographically unreadable. However, an iOS device must be reachable for mobile device management software or iCloud to invoke this action remotely. Wipe can also be auto-invoked after N passcode failures, but someone in physical possession of an iOS device that's been disconnected from the Internet can easily avoid remote wipe until flash memory has been dumped.
On Android devices, a factory data reset command can be invoked to reset all settings back to factory default, and remove all apps and associated data, along with any email and text messages and contacts stored in flash. However, flash storage is not overwritten: Any data that was not encrypted can still be forensically recovered. Furthermore, data stored on an SD card may not be removed, depending on the device make and model. If flash storage was encrypted, wipe efficacy also depends on the manufacturer's key management. Like iOS, Android also supports a "maximum failed password attempts" setting after which factory reset is invoked, but disconnected Android devices can be dumped before wipe.
On BlackBerry smartphones, users can invoke its Security Wipe function to selectively delete application data (e.g., email, contacts), user-installed applications and/or SD card contents. Administrators can remotely invoke an "erase data and disable handheld" command that removes all user data, references to encryption keys and device transport keys, and authentication information from its non-volatile or NV store protected memory, flash memory and on-device memory. When a BlackBerry is reset to factory default, references to device password hashes are also removed, along with third-party applications and associated data. On devices configured to protect (encrypt) content, a NIST-compliant memory scrub can be performed to resist forensic analysis. BlackBerry supports not only a maximum password attempts policy, but also "secure wipe delay after IT policy received," "secure wipe delay after lock" and "secure wipe if low battery." The latter help a long-lost and disconnected BlackBerry auto-wipe itself.
Given this understanding of how remote data wipe works, it's easy to see that it should never be an organization's only defense against a potential data breach. Remote wipe is designed to complement other security measures, the strength of which significantly affects overall effectiveness. Supplement a well-tested, validated and documented remote wipe capability with the following tactics:
Read Lisa Phifer's Information Security magazine article, BYOD security strategies: Balancing BYOD risks and rewards.
Webcast: Lisa Phifer's five-step plan for securing BYODs.
About the author:
Lisa Phifer owns Core Competence Inc., a consulting firm specializing in business use of emerging Internet technologies. Lisa has been involved in the design, implementation and evaluation of internetworking, security and management products for 30 years.
10 Jan 2013