The Fallacy of Remote Wiping

One of the few recently published data indicate that the average businessperson has 3.5 such mobile devices-a laptop, a tablet or netbook and one or two cellular phones. This number has doubled in 3 years and, in all likelihood, will continue to grow.

Perhaps this is one reason why so many security professionals are focused on controlling and, in particular, remote wiping physical endpoints. Even more surprising is the anecdotal evidence that security professionals are willing to allocate up to a third of their mobile device management (MDM) budgets to this one effort. On the surface, this seems to be a reasonable approach to the protection of remote data at rest. The algorithm is simple: If confidential data on a mobile device is threatened, then nuke it.

The truth, however, is that when used as a security control, remote wiping represents a conventional way of attempting to solve a problem that is no longer conventional.

This is particularly true when, as is often the case, the mobile device is owned by the employee. Even when implemented and managed correctly (the exception-not the rule), remote wipe does not lower risk in any significant way, it obfuscates the workable processes that do function to protect remote confidential data and creates the potential for very real privacy-related litigation (When Your Company Kills Your iPhone).

MDM is not the Issue

I can imagine that if an employee at one of the 60 or so MDM companies that have popped up recently were to read the paragraph above, they might disagree with me at best or offer to pay for a hanging rope at worst. I wouldn't blame them. However I would argue that they are missing my point. I'm all for management of mobile devices. If a device is granted access to corporate information resources, then it needs to have user/group access and password policies enforced, it needs to be tagged, tracked, logged, backed up-all of the normal and proper asset management procedures should apply to any device, regardless of its type or location.

With this in mind, enterprise IT and IT security must leverage the increasing consumerization of mobile devices in order to maximize corporate profitability, while simultaneously protecting corporate information assets.

There is real dissonance here. MDM vendors have (naturally) taken advantage of this conflict and have, in many cases, pushed their particular solutions past those solutions' intended design parameters-management into security, primarily by integrating some type of remote wipe capability.

The Case against Remote Wipe

OK. Let's assume for a minute that remote wipe is on your checklist when you go shopping for a mobile security solution. You are looking for peace of mind when a mobile device gets lost or stolen or when an employee leaves the organization. You want to be certain that confidential corporate data on the compromised device is deleted and that access to corporate applications, hardware, and data is disabled. Remote wipe gives you that assurance, right?

Nope. Note when you step back and think about it. In this rapidly changing, virtualized, mobile world, the crucial enterprise security challenge is protecting against loss of confidential corporate data. To this end, we have a plethora of policies, processes, and tools that work most of the time. If, in your security procedures, a situation arises where an administrator's only option is to remote wipe, then it's already too late. You can wipe the barn door (and the barn if you like) but the horse is long gone. In our field, you have just one chance to protect data.

When it's Gone, it's Gone

MDM vendors will argue that this simply isn't true that the data sitting on the device can still be protected by destroying it. In a perfect world when the stars line up, they might be right. But it's not and they rarely do.

Let's start with physics. The current generation of mobile devices uses primarily NAND flash for storage not a hard drive. Although, from a user perspective flash appears to work like a hard drive, functionally they are quite different.

There are a number of other subtle issues which ensure that an entire flash memory module has been forensically erased. The point here is that deleting all of the files on a flash based device is more complicated than simply formatting the drive, since the remote wipe vendor has to integrate with a host of embedded controllers in an increasingly heterogeneous environment. Simply put, in the real world, remote wipe doesn't work very well.

Users often jailbreak, root, or otherwise modify their device's operating system. From a security standpoint, this is a double-edged sword. On the one hand, users who modify their devices in this way are often tech-savvy and thus are presumably more likely to be aware of potential security related issues. On the other hand, jailbreakers/kernel hackers contribute additional complexity to MDM in an already heterogenous environment. And, importantly, how do we remote wipe these devices? Well, first we have to detect that a device has been modified. For most of the remote operating systems, this is either difficult or impossible since the API calls that can be queried about jailbreak status are often the first calls changed as part of the jailbreak.

Remote wipe advocates may argue, "But 95% of our mobile devices are iOS based and Apple provides hooks for our MDM solutions."

This was true until December of 2010 when Apple for whatever reason removed the jailbreak detection API. Since that time, MDM vendors have been forced to invent methods that allow them to semi-reliably detect jailbroken iOS devices. All of these methods ultimately rely upon location services for iOS validation, and none of them are foolproof. Thus, your remote wipe capability for iOS users depends upon first tracking the location of all of your users every time they switch to a new cell tower and then upon the inconsistent ability of your MDM solution to access iOS primitives (forbidden by Apple, BTW). Even if we assume that all of this works as planned, your organization will still have to deal with many users who believe (understandably) that they have the civil right not to be tracked 24x7 by their employers.

The bottom line is that remote wipe of modified mobile devices cannot be relied upon with a high degree of confidence.

In general, remote wipe when it does work is a bludgeon. It has little or no contextual awareness and often indiscriminately destroys both corporate and personal data. In the context or remote wipe, these are all reasonable allegations and will provide additional headaches for those who opt for this approach.

The point here is that if remote wipe is a component of n number of specific security controls, it is not difficult to imagine at least n+1 means of circumventing those controls. In conclusion, the capability to remote wipe devices is often a checklist item when hunting for an MDM or mobile security solution. But, as outlined above, endpoints can't be trusted. They can only be authenticated. Well... they can also be lost or stolen. Most information security professionals recognize this, and they understand that fundamentally the integrity of an endpoint is always a suspect. To that end, rational design of any data protection strategy depends upon integrating and managing a number of possibly related security controls (defense-in-depth) regardless of the state of the endpoint.

We already possess proven tools, protocols, and techniques that can be used to economically manage these risks. Some of them may not be as cool as remote wipe, but unlike remote wipe, they are technically sensible, economically rational, and they work.