Remotely wiping mobile phones
LWN.net needs you! Without subscribers, LWN would simply not exist. Please consider signing up for a subscription and helping to keep LWN publishing |
A mobile phone "feature" that is touted as a way to remove data from stolen phones is also being used in far less reasonable ways. It is, or could be seen as, an anti-feature added for the benefit of companies, but without taking users' needs into consideration. The "remote wipe" available for (at least) Android, iOS, and Palm's webOS allows Exchange administrators to remotely reset logged-in mobile phones—removing all personal data and resetting them to factory defaults.
The amount of sensitive information that is stored on mobile phones today—especially smartphones—is quite substantial. It is no surprise that both companies and individuals are worried about those phones falling into the wrong hands. Under those circumstances, one can well imagine that being able to remotely wipe that data as quickly as possible would be seen as a nice feature.
But there are a number of concerns with the current approach. As Nathan Hamblen reports on his blog, remote wipe is currently being misused by Exchange administrators to punish users who access their corporate email from unapproved devices. In many, perhaps most, cases, those unapproved devices are the personal property of a user who is just trying to get their work done. One can understand administrators wanting to impose draconian access rules, and even to enforce them, but punishing users by deleting their photos, applications, and other personal data seems just a tad beyond the pale.
Evidently the remote wipe feature was originally added for Blackberry devices to protect against loss or theft. Exchange administrators have been clamoring for the same functionality for other mobile phones as those devices added Exchange compatibility. Over time, the phone makers have complied, with Android adding (and touting) remote wipe in its 2.2 ("Froyo") release. But it's not clear that users are being warned about the power they are placing in the hands of their corporate IT staff when they connect to the Exchange server.
From the comments on Hamblen's blog, it would seem that iPhones do not warn users about the remote wipe, but that Android 2.2 does. It certainly is not particularly intuitive that logging in to check your work email suddenly puts your phone at risk. If administrators do not want to provide Exchange access to mobile devices, a smaller, more focused hammer—like access restrictions of some kind—is likely to work out better in the long run.
For Android phones, Exchange access—and remote wipe—are implemented in the standard email application. There is evidently no mechanism to override the server security policies via the email application settings, but there is a way to disable the remote wipe functionality for those with root access or the ability to install non-Market applications. Essentially, a securitypolicy.java file in the application bundle (i.e. the .apk file) needs to be changed to turn off security policy enforcement.
It seems to be something of a historical artifact that remote wipe is tied to Exchange. Some users and administrators would undoubtedly like to have this capability without it necessarily being dependent on an active connection to an Exchange server. So, some kind of remote wipe protocol getting added into phone operating systems may be on the horizon. That will, of course, open up another set of potential issues.
There are obviously situations where a connection to the Exchange server might be interrupted when a phone gets lost or stolen. One would guess that those interested in obtaining phones for corporate espionage—as opposed to the more run-of-the-mill criminal looking for a quick buck at the pawn shop—would know enough to disable Exchange immediately. For those truly concerned about mobile data security, the current remote wipe is something of a half-measure.
Beyond the question of administrators wiping phones as punishment for trying to keep on top of email, there are other concerns as well. How well protected is the remote wipe command from attackers? One hopes that Microsoft (and the phone implementers) have provided strong authentication and/or encryption for that command channel. But, as we have seen before, vulnerabilities may well be found that allow random attackers to wipe phones. It's bad enough to give that kind of power over your personal phone to administrators, but putting it into the hands of script kiddies is well over the top.
There is clearly a balance to be struck. Companies are rightly concerned about their proprietary information and its dispersal to devices that might end up in the clutches of competitors. On the other hand, those same companies are interested in having productive employees but it is difficult and expensive to hand out smartphones to all employees so they can check their email. Not to mention the fact that many of those people will already have a phone they like and may not be willing to carry around a second one to check their email.
The problem goes further than that, though. Laptops and other non-phone devices (e.g. tablets, netbooks, possibly even home desktops) probably hold a lot more sensitive corporate data. Some of those devices can have their disks encrypted and/or require more rigorous authentication for access, but the problem still remains. There will always be windows of vulnerability and sophisticated attackers will find ways to exploit them. The problem here is with data that leaves the confines of the company, regardless of where it is stored.
It has been suggested that "cloud" backups of personal data from phones might partially solve the problem as users can just restore their data after being punished for accessing their email. That seems fraught with peril as well, however, not least because the sensitive corporate email probably gets backed up right along with the photos of the user's children and the funny sign they saw on the way to work. In the end, companies that apply punitive sanctions to their employees' personal property for transgressions of the security policy may just find that folks will come up with better ways to spend their time. Perhaps taking pictures or playing games with their phones instead of keeping up with their work email.
Index entries for this article | |
---|---|
Security | Mobile phones |
(Log in to post comments)
Remotely wiping mobile phones
Posted Sep 15, 2010 15:53 UTC (Wed) by ewan (subscriber, #5533) [Link]
Remotely wiping mobile phones
Posted Sep 15, 2010 15:57 UTC (Wed) by zlynx (guest, #2285) [Link]
So by connecting to the service the employee is knowingly placing their device under the control of the remote system...
It would totally depend on what is written down and such, but I doubt the companies are at much risk.
Remotely wiping mobile phones
Posted Sep 15, 2010 19:10 UTC (Wed) by marcH (subscriber, #57642) [Link]
But for sure who would sue his boss? (until one is fired of course)
Remotely wiping mobile phones
Posted Sep 15, 2010 19:21 UTC (Wed) by zlynx (guest, #2285) [Link]
At my hypothetical business I could make it my policy to have all wall outlets in the building supply 280 V at 75 Hz. Plug your phone into *that* and Zort! black smoke and nothing else.
Abusive? No. Weird, yes. But why should I put up with my hypothetical employees charging their personal devices from my power supply, when it is clearly against policy?
Remotely wiping mobile phones
Posted Sep 15, 2010 19:45 UTC (Wed) by njs (guest, #40338) [Link]
I'm glad if you've always had the resources to let you walk away from abusive employers. But that's a fairly rare privilege. Plenty of people make the rational decision that agreeing to an abusive situation is better than starving. But usually it's possible for the company to make money, the employees not to starve, *and* for them not to be abused.
Remotely wiping mobile phones
Posted Sep 15, 2010 20:45 UTC (Wed) by zlynx (guest, #2285) [Link]
Some people think it's abusive to make work calls to an employee's personal phone.
Now, some people seem to be claiming it's abusive to require employees to *not* use their personal phone...
None of this is on the level of requiring women employees to wear revealing uniforms or to work an extra four hours every day unpaid ... neither of which is illegal by the way.
So see, *some* people have crazy ideas about what is "abusive."
Remotely wiping mobile phones
Posted Sep 15, 2010 21:07 UTC (Wed) by dskoll (subscriber, #1630) [Link]
None of this is on the level of requiring women employees to wear revealing uniforms or to work an extra four hours every day unpaid ... neither of which is illegal by the way.
It depends on where you live. I'm pretty sure the latter (four hours unpaid/day) contravenes the law in Ontario where I run my business.
It's also the case that a contract that violates the law is unenforceable. So while businesses can write contracts that greatly favor themselves, they cannot go over the line and make illegal things OK.
Remotely wiping mobile phones - by employee agreement
Posted Sep 17, 2010 16:46 UTC (Fri) by giraffedata (guest, #1954) [Link]
In the US, since 1938, workers in low-level jobs are not allowed to work extra hours for free. (Low-level basically means non-intellectual). I don't know about wearing revealing uniforms, but there many very similar things an employee isn't allowed to give.
The great majority of legal rights are waivable -- they're property the holder is allowed to sell. But many are not, and the main reason is to eliminate competition with other people who don't want to sell those rights at the going price. In the case of working extra hours for free, the effect (by design) is to transfer wealth from people with more natural employable talent to people with less, as a group.
There are moral arguments for and against that transfer, and that way of doing it, and the same would apply to the issue of an employer conditioning a job offer on the employee handing over delete power on his phone. (As for the legal arguments, I really have no idea).
Remotely wiping mobile phones - by employee agreement
Posted Sep 21, 2010 20:49 UTC (Tue) by dvdeug (subscriber, #10998) [Link]
But many are not, and the main reason is to eliminate competition with other people who don't want to sell those rights at the going price.
The main reason is to prevent those whose main employable talents is being filthy rich from working people who weren't born with a silver spoon in their mouth to death, just because these working people need to feed their families.
Remotely wiping mobile phones - by employee agreement
Posted Sep 21, 2010 22:33 UTC (Tue) by giraffedata (guest, #1954) [Link]
But many are not, and the main reason is to eliminate competition with other people who don't want to sell those rights at the going price.The main reason is to prevent those whose main employable talents is being filthy rich from working people who weren't born with a silver spoon in their mouth to death, just because these working people need to feed their families.
Of course, but you missed the point, which is about the mechanism for stopping filthy rich people from doing that. The reason the filthy rich person, with all rights being waivable, would be able to entice someone to work to death is that the worker is competing for the job with other workers who are willing to work to death. By removing everyone else's ability to waive his right to work to death, we eliminate that competition and force the filthy rich person to offer a better job to everyone.
The ultimate effect is a redistribution of wealth from the filthy rich employer to the workers. But this is just one mechanism for doing that.
Remotely wiping mobile phones
Posted Sep 15, 2010 22:40 UTC (Wed) by njs (guest, #40338) [Link]
BTW, as another commenter noted, requiring unpaid labor is often illegal, and in many contexts requiring female employees to wear revealing uniforms is too. (In the US, Hooters and strip clubs etc. can get away with it because it's part of the service provided, but try, say, imposing those same requirements on non-customer-facing employees and see what the courts say...)
Remotely wiping mobile phones
Posted Sep 16, 2010 7:40 UTC (Thu) by Np237 (guest, #69585) [Link]
Wiping their personal phone, regardless of what it was used for, *is* abusive. And illegal in many countries.
Remotely wiping mobile phones
Posted Sep 15, 2010 22:07 UTC (Wed) by marcH (subscriber, #57642) [Link]
I actually meant an *illegal* policy, sorry for the confusion. Signing it does not make it legal.
Remotely wiping mobile phones
Posted Sep 15, 2010 23:13 UTC (Wed) by SiB (subscriber, #4048) [Link]
Remotely wiping mobile phones
Posted Sep 16, 2010 9:04 UTC (Thu) by debacle (subscriber, #7114) [Link]
In general, employers and employees do not have the same level of power or strength. Because of this inbalance, at least in Europe, there is no unlimited "freedom of contract". Even if an employee signs a policy, not everything would be valid. About this specific case, the whiping of a private telephone, I assume it would be illegal in Germany, even if the employee has signed the policy. But before there is a real case and a court takes a decision, we cannot know.
Potentially risky
Posted Sep 15, 2010 21:00 UTC (Wed) by copsewood (subscriber, #199) [Link]
Remotely wiping mobile phones
Posted Sep 15, 2010 22:05 UTC (Wed) by shmget (guest, #58347) [Link]
Private contract does not trump the Law of the Land(*).
The previous poster said, 'In the UK' that would probably be illegal.
I can add to that that in France it IS illegal, and from article I read about Sweden, Norway, Germany, to name a few, I believe that it would be illegal there too.
In the US, The legality of each would hinge - I think - on who is the owner of the device is.
It is not that obvious that a remote wipe on the personal device, especially of personal data, would be uphold as legal by the court.
UK Computer Misuse Act
Posted Sep 15, 2010 20:55 UTC (Wed) by copsewood (subscriber, #199) [Link]
As a UK company email administrator, if you were to implement such a policy without having it in writing from the pointy haired boss making this policy, it could be you that ends up in jail. Kind of situation where the administrator or PHB needs to be forewarned.
UK Computer Misuse Act
Posted Sep 16, 2010 8:03 UTC (Thu) by philipstorry (subscriber, #45926) [Link]
Nobody wins in this scenario. Yes, you can have the administrator (or company) prosecuted for breaking the law. But they will end up showing the police that you also broke the law.
I suspect that the CPS is going to be very upset if many such sets of cases come along, as they'd probably rather be spending their already limited resources dealing with something like violent crime...
Remotely wiping mobile phones
Posted Sep 15, 2010 15:55 UTC (Wed) by knobunc (guest, #4678) [Link]
I have a rooted 2.2, so presumably it is possible to patch out support for this...
Disabling the feature
Posted Sep 15, 2010 15:57 UTC (Wed) by corbet (editor, #1) [Link]
There's a link in the article to some (moderately cryptic) instructions on how to disable remote wipe in a rooted phone.
Remotely wiping mobile phones
Posted Sep 15, 2010 15:58 UTC (Wed) by kjp (guest, #39639) [Link]
"the ability to trigger a complete wipe of all user data from the central server" I assumed the data was being removed from the server.
No concept of their own liability
Posted Sep 15, 2010 16:33 UTC (Wed) by BrucePerens (guest, #2510) [Link]
This feature would be high on the list of "things not to put in your product unless you like getting your customers prosecuted for criminal activity and yourself sued".
Remotely wiping mobile phones
Posted Sep 15, 2010 17:12 UTC (Wed) by mitchskin (guest, #32405) [Link]
Some users in the big talk.maemo.org thread about this asked for the ability to tell the server that the phone is provisionable even though it isn't. But apparently, doing that violates the license under which nokia got the exchange syncing code from microsoft.
If the people implementing the client software used a non-microsoft activesync implementation, then presumably they could give users some more control. I thought such implementations existed, but if they do then I don't see why people aren't using them.
Aside: what a horrid bit of functionality to hide under the anodyne word "provisionable". Doubleplus ungood use of language there.
Remotely wiping mobile phones
Posted Sep 15, 2010 18:00 UTC (Wed) by smurf (subscriber, #17840) [Link]
Doesn't change the fact that this is not at all a good idea. Among other reasons: why the hell should an email/contacts/calendar/whatever-else-Exchange-does client have root access?
Remotely wiping mobile phones
Posted Sep 15, 2010 18:23 UTC (Wed) by foom (subscriber, #14868) [Link]
Having the ability to wipe all the user's data doesn't require root access...
Remotely wiping mobile phones
Posted Sep 15, 2010 19:19 UTC (Wed) by cesarb (subscriber, #6266) [Link]
As an aside, remote wipe is an horrible way of protecting data on a phone. Encrypting it (which should not be very power-intensive with hardware assistance plus the kernel's normal caching) and requiring a key (perhaps even having to contact a server to obtain part of it, to allow for it to be revoked) would be much safer, since it would not need a constant network connection to protect the data.
Remotely wiping mobile phones
Posted Sep 15, 2010 19:36 UTC (Wed) by drag (guest, #31333) [Link]
That's why I don't bother with it on my laptop, except I store some of the more sensitive information encrypted via encfs and cryptkeeper. You see: I leave my laptop on all the time. Even when traveling it's suspended. Out of any modern device it's fairly trivial to pull encryption keys out of memory. There are ways it can be mitigated, but that is not the reality we live in right now in terms of hardware security.
But there is not much on a phone that I would tolerate using if I had to type in a password every time I needed to access it. Usability easily trumps security in this regards.
Remote wipe is really a pretty good way to keep your stuff safe. Cell phones are stolen very often, smart phones are even more attractive targets. People frequently leave their phones laying around and forget them in public places. People leave them on all the time.
If I was a business type guy buying phones for my employees then it would be a invaluable feature.
For my personal use it would be a invaluable feature.
The problem is not that there is a remote wipe. The problem has to do with who is the one in control of it.
That is true with most stronger security schemes. The problem is not that they exist or that they are effective or that they can get used... the problem is the people who have the ability to use them. That is: somebody other then the property owner.
Remotely wiping mobile phones by cancelling decryption keys
Posted Sep 15, 2010 21:19 UTC (Wed) by neilbrown (subscriber, #359) [Link]
Alternate perspective is that encryption and never-turned-off make a good combination as then if your phone is stolen/lost all you need to do is remote-shut-down. If you still have the phone, this is just an inconvenience. If someone else has it, they lose any access to your data.
All the value of remote-wipe and almost none of the cost.
Remotely wiping mobile phones by cancelling decryption keys
Posted Sep 15, 2010 22:43 UTC (Wed) by drag (guest, #31333) [Link]
Remotely wiping mobile phones
Posted Sep 15, 2010 23:52 UTC (Wed) by literfizzer (guest, #31274) [Link]
It gives you 10 attempts; I finally figured out that it wanted the Exchange password on the last or second-to-last attempt. I'm not sure what would have happened if I hadn't gotten it right, but I'm guessing my phone would have been wiped.
The password prompt comes up every few hours now. It's a real impediment to usability, especially when the phone is first powered on. The phone is more or less nonresponsive for the first few minutes after the password prompt comes up.
It's a lot to put up with just to get my Exchange calendar into my phone, which contains no sensitive information.
Remotely wiping mobile phones
Posted Sep 16, 2010 12:17 UTC (Thu) by sjlyall (guest, #4151) [Link]
Have a look at this page for some information;
http://www.apple.com/support/iphone/enterprise/
The "Security Overview" at the bottom of the page has a quick summary of some things you can do via policy on the exchange server.
http://images.apple.com/iphone/business/docs/iPhone_Secur...
Remotely wiping mobile phones
Posted Sep 19, 2010 10:34 UTC (Sun) by Tet (subscriber, #5433) [Link]
I leave my laptop on all the time. Even when traveling it's suspended. Out of any modern device it's fairly trivial to pull encryption keys out of memory.Trivial, you say? I'd be intrigued to know how you plan to do this. Any halfway sane Linux distribution requires the decryption password to be entered when resuming from a suspended state.
Remotely wiping mobile phones
Posted Sep 20, 2010 16:13 UTC (Mon) by pkern (subscriber, #32883) [Link]
In theory it could instruct the kernel to wipe the encryption keys from memory at suspend time. However, the whole LUKS cryptsetup infrastructure runs in userspace to verify the correctness of the keys, which would require some parts of userspace in RAM to be working for key input. Chicken, egg.
But then this only applies to full disk encryption / root partition encryption, userspace filesystems like ecryptfs could get triggered to forget the keys and re-prompt the user, I suppose.
Remotely wiping mobile phones
Posted Sep 28, 2010 13:37 UTC (Tue) by robbe (guest, #16131) [Link]
* instruct the kernel to forget device keys before suspending
* run a daemon that is able to ask the user for her passphrase, and reinstate device keys on resume
* run without swap, or mlockall() all participating daemons/applications
Remotely wiping mobile phones
Posted Sep 28, 2010 13:30 UTC (Tue) by robbe (guest, #16131) [Link]
for details.
Remotely wiping mobile phones
Posted Sep 17, 2010 16:30 UTC (Fri) by PO8 (guest, #41661) [Link]
I've been willing to put up with all the problems I've had with the Android because it's a convenient device in some ways and was given to me. I've always been uncomfortable that Google controls most of my data, though; this latest is just too scary to live with.
Remotely wiping mobile phones
Posted Sep 16, 2010 0:58 UTC (Thu) by ikm (guest, #493) [Link]
Remotely wiping mobile phones
Posted Sep 16, 2010 7:47 UTC (Thu) by seyman (subscriber, #1172) [Link]
See http://en.wikipedia.org/wiki/Microsoft_Exchange_Server for the gory details.
Remotely wiping mobile phones
Posted Sep 16, 2010 3:40 UTC (Thu) by Kissaki (guest, #61848) [Link]
Regarding the security issues, this is a problem that is impossible to solve with current systems (at least the ones I know about). You have two security domains that you need to keep completely separate except that you have full access to both and you probably want to integrate the data (e.g. you don't want to have two completely separate calendars that you can't look at at the same time).
Add to that the fact that access to one of those domains (e.g. corporate data) needs to be revocable, and the revoking party needs to be confident that you aren't going to disable the feature by logging into the device as an administrative user and toggling a flag, and then lose the device in a Starbucks.
Remotely wiping mobile phones
Posted Sep 16, 2010 7:00 UTC (Thu) by zmi (guest, #4829) [Link]
Second, if it's a problem that a device gets deleted, a clearing talk between the user, IT and management will surely help to find a clear position whether it's to be done or not.
I really like remote wipe, and used it when I recently changed my phone to a new model. No more "what else do I have to delete", just wipe it and everything is gone. Very nice feature also in case it gets deleted.
Remote wipe maybe not so evil?
Posted Sep 16, 2010 10:30 UTC (Thu) by gaizkav (guest, #45655) [Link]
But I am interested in such a measure for my personal android phone.
If I loose my phone, or it gets stolen, I'd love to be able to do something so my phone gets completely wiped.
I don't want anybody accessing my emails, personal data, who knows how many things I have stored in the phone.
I have an android phone, and there are some applications to do that. Just have to find time to check them.
Remote wipe maybe not so evil?
Posted Sep 26, 2010 5:44 UTC (Sun) by Mandrake981 (guest, #70315) [Link]
If you go onto the Droid Market, and look for an application called WaveSecure - this will do what you want.
If you pay for their service (~$20.00 per year), it gives you the ability to back up all of your data (pictures, videos, contacts, music, etc. - as long as they're not huge files)... If your phone ever gets wiped, you can restore it all from their service. Pretty nice.
If your phone gets stolen, you can wipe it remotely from the web, as well as kick in the GPS and track it remotely. It even goes so far as to allow you to send a message to the would-be thief via the phone, and then it'll lock and it'll require your 6 digit security code to get back into it. You can actually hit it two ways - first, throw up the message to return the phone (with an address, etc.), that locks the phone. Then, to be safe, wipe the phone and wait. Also, last but not least, the option of putting up a message on the phone comes with the option of setting off an alarm on the phone too. I haven't tried it, so I don't know how loud it is, but I'm sure it would be pretty annoying to say the least.
--
Take care,
Randall
Remotely wiping mobile phones
Posted Sep 16, 2010 10:30 UTC (Thu) by nhippi (guest, #34640) [Link]
Keep a different phone for personal use and different phone for work use.
There are many many advantages to the approach - most importantly ability to switch the work phone OFF when on vacation.
Remotely wiping mobile phones
Posted Sep 16, 2010 20:19 UTC (Thu) by leoc (guest, #39773) [Link]
Remotely wiping mobile phones
Posted Sep 16, 2010 23:52 UTC (Thu) by klbrun (subscriber, #45083) [Link]
Remotely wiping mobile phones
Posted Sep 17, 2010 0:29 UTC (Fri) by giraffedata (guest, #1954) [Link]
I've never seen an Exchange client or server, but I'll bet there is a web interface. It's just too valuable a thing for Microsoft not to sell.But the web protocols are far too weak to give the best possible user experience, so that would explain why one would want to use a special Exchange client instead of a web browser for mail. Slowness, expiration, lack of interactivity, and everything.
Remotely wiping mobile phones
Posted Sep 17, 2010 4:25 UTC (Fri) by bronson (subscriber, #4806) [Link]
But you're right -- it's far too heavy to be used over Edge or 3G data connections, and it would take a ton of work to get it to work in current mobile browsers.
Remotely wiping mobile phones
Posted Sep 17, 2010 19:43 UTC (Fri) by speedster1 (guest, #8143) [Link]
If you do use it to send mail, please give me a hint on how to send a genuine plain text message using Outlook Web Access.
Remotely wiping mobile phones
Posted Sep 17, 2010 22:26 UTC (Fri) by bronson (subscriber, #4806) [Link]
As far as its capability as a mailer.... well, this was in a Microsoft-laden corporate environment. I sent and received nothing but HTML-encoded top-posted disasters, each with a 75 MB PowerPoint attachment.
Remotely wiping mobile phones
Posted Sep 17, 2010 23:21 UTC (Fri) by foom (subscriber, #14868) [Link]
Well, at least your microsoft-laden environment was better than most! Many installations of Exchange have some ridiculously low per-user storage size limit, like 25MB.
Remotely wiping mobile phones
Posted Sep 20, 2010 13:03 UTC (Mon) by james (subscriber, #1325) [Link]
Remotely wiping mobile phones
Posted Sep 17, 2010 4:09 UTC (Fri) by bradh (guest, #2274) [Link]
There is an example of how to command remote wipe in Section 4.2 of that document (http://msdn.microsoft.com/en-us/library/ee218975%28v=EXCH... - note that you need to work through the subsections to see the actual operations).
Remotely wiping mobile phones
Posted Sep 28, 2010 19:49 UTC (Tue) by xorbe (guest, #3165) [Link]
Remotely wiping mobile phones
Posted Mar 7, 2012 23:57 UTC (Wed) by dallastexas01 (guest, #83380) [Link]
Remotely wiping mobile phones
Posted Mar 8, 2012 0:45 UTC (Thu) by mathstuf (subscriber, #69389) [Link]