A mobile phone "feature" that is touted as a way to remove data from stolen
phones is also being used in far less reasonable ways. It is, or could be seen
as, an anti-feature added for the benefit of companies, but without taking
users' needs into consideration. The "remote wipe" available for (at
least) Android, iOS, and Palm's webOS allows Exchange administrators to
remotely reset logged-in mobile phones—removing all personal data and
resetting them to factory defaults.
The amount of sensitive information that is stored on
mobile phones today—especially smartphones—is quite
substantial. It is no surprise that both companies and individuals are
worried about those phones falling into the wrong hands. Under those
circumstances, one can well imagine that being able to remotely wipe that data as
quickly as possible would be seen as a nice feature.
But there are a number of concerns with the current approach. As Nathan
on his blog, remote wipe is currently being misused by Exchange
administrators to punish users who access their corporate email from
unapproved devices. In many, perhaps most, cases, those unapproved devices are the
personal property of a user who is just trying to get their work done.
One can understand administrators wanting to impose draconian access rules,
and even to enforce them, but punishing users by deleting their photos,
applications, and other personal data seems just a tad beyond the pale.
Evidently the remote wipe feature was originally added for Blackberry
devices to protect against loss or theft. Exchange administrators have been
clamoring for the same functionality for other mobile phones as those
devices added Exchange compatibility. Over time, the phone makers have
complied, with Android adding (and touting)
remote wipe in its 2.2 ("Froyo") release. But it's not clear that users are
being warned about the power they are placing in the hands of their
corporate IT staff when they connect to the Exchange server.
From the comments on Hamblen's blog, it would seem that iPhones do not warn
users about the remote wipe, but that Android 2.2 does.
It certainly is not particularly intuitive that logging in to check your
work email suddenly puts your phone at risk. If administrators do not want
to provide Exchange access to mobile devices, a smaller, more focused
hammer—like access restrictions of some kind—is likely to work
out better in the long run.
For Android phones, Exchange access—and remote wipe—are
implemented in the standard email application. There is evidently no
mechanism to override the server security policies via the email
application settings, but there is a way to disable the remote wipe
functionality for those with root access or the ability to install
non-Market applications. Essentially, a securitypolicy.java file
in the application bundle (i.e. the .apk file) needs to be changed
to turn off security policy enforcement.
It seems to be something of a historical artifact that remote wipe is tied
to Exchange. Some users and administrators would undoubtedly like to
have this capability without it necessarily being dependent on an active
connection to an Exchange server. So, some kind of remote wipe
protocol getting added into phone operating systems may be on the horizon.
That will, of course, open up another set of potential issues.
There are obviously situations where a connection to the Exchange server
might be interrupted when a phone gets lost or stolen. One would guess
that those interested in obtaining phones for corporate espionage—as
opposed to the more run-of-the-mill criminal looking for a quick buck at
the pawn shop—would know enough to disable Exchange immediately. For
those truly concerned about mobile data security, the current remote wipe
is something of a half-measure.
Beyond the question of administrators wiping phones as punishment for
trying to keep on top of email, there are other concerns as well. How
well protected is the remote wipe command from attackers? One hopes that
Microsoft (and the phone implementers) have provided strong authentication
and/or encryption for that command channel. But, as we have seen before,
vulnerabilities may well be found that allow random attackers to wipe phones.
It's bad enough to give that kind of power over your personal phone to
administrators, but putting it into the hands of script kiddies is well
over the top.
There is clearly a balance to be struck. Companies are rightly concerned
about their proprietary information and its dispersal to devices that might
end up in the clutches of competitors. On the other hand, those same companies are
interested in having productive employees but it is difficult and expensive
to hand out smartphones to all employees so they can check their email.
Not to mention the fact that many of those people will already have a phone
they like and may not be willing to carry around a second one to check
The problem goes further than that, though. Laptops and other non-phone
devices (e.g. tablets, netbooks, possibly even home desktops) probably hold a lot more sensitive
corporate data. Some of those devices can have their disks encrypted and/or
require more rigorous authentication for access, but the problem still
remains. There will always be windows of vulnerability and sophisticated
attackers will find ways to exploit them. The problem here is with data
that leaves the confines of the company, regardless of where it is stored.
It has been suggested that "cloud" backups of personal data from phones
might partially solve the problem as users can just restore their data
punished for accessing their email. That seems fraught with peril as well,
however, not least because the sensitive corporate email probably gets
backed up right along with the photos of the user's children and the funny
sign they saw on the way to work. In the end, companies that apply
punitive sanctions to their employees' personal property for transgressions
of the security policy may just find that folks will come up with better
ways to spend their time. Perhaps taking pictures or playing games with
their phones instead of
up with their work email.
to post comments)