User: Password:
|
|
Subscribe / Log in / New account

Remotely wiping mobile phones

Remotely wiping mobile phones

Posted Sep 15, 2010 17:12 UTC (Wed) by mitchskin (guest, #32405)
Parent article: Remotely wiping mobile phones

I first heard about this in the context of the n900, which doesn't implement the remote-wipe functionality. And the n900 tells the server that it doesn't (it's not "provsionable", in exchange speak). And some exchange admins only allow provisionable phones to access the server.

Some users in the big talk.maemo.org thread about this asked for the ability to tell the server that the phone is provisionable even though it isn't. But apparently, doing that violates the license under which nokia got the exchange syncing code from microsoft.

If the people implementing the client software used a non-microsoft activesync implementation, then presumably they could give users some more control. I thought such implementations existed, but if they do then I don't see why people aren't using them.

Aside: what a horrid bit of functionality to hide under the anodyne word "provisionable". Doubleplus ungood use of language there.


(Log in to post comments)

Remotely wiping mobile phones

Posted Sep 15, 2010 18:00 UTC (Wed) by smurf (subscriber, #17840) [Link]

To be fair, the word probably wasn't chosen to obscure the fact that it's a remote wipe. Provisioning, in the context of e.g. a SIP telephone set, means to force-feed some set of standard settings to the thing. Wiping anything the user does, or might have done, is secondary.

Doesn't change the fact that this is not at all a good idea. Among other reasons: why the hell should an email/contacts/calendar/whatever-else-Exchange-does client have root access?

Remotely wiping mobile phones

Posted Sep 15, 2010 18:23 UTC (Wed) by foom (subscriber, #14868) [Link]

> Among other reasons: why the hell should an email/contacts/calendar/whatever-else-Exchange-does client have root access

Having the ability to wipe all the user's data doesn't require root access...

Remotely wiping mobile phones

Posted Sep 15, 2010 19:19 UTC (Wed) by cesarb (subscriber, #6266) [Link]

What we need is a phone with two user accounts, a "business" account and a "personal" account. The email client would run on the "business" account and only be able to wipe the data on it. The data on the "personal" account (your photos, your family contacts, etc.) would then stay safe.

As an aside, remote wipe is an horrible way of protecting data on a phone. Encrypting it (which should not be very power-intensive with hardware assistance plus the kernel's normal caching) and requiring a key (perhaps even having to contact a server to obtain part of it, to allow for it to be revoked) would be much safer, since it would not need a constant network connection to protect the data.

Remotely wiping mobile phones

Posted Sep 15, 2010 19:36 UTC (Wed) by drag (subscriber, #31333) [Link]

One thing that your completely missing, however, is that people leave their phones on most of the time. Encrypted drives only work effectively if your system is turned off at the time it was stolen.

That's why I don't bother with it on my laptop, except I store some of the more sensitive information encrypted via encfs and cryptkeeper. You see: I leave my laptop on all the time. Even when traveling it's suspended. Out of any modern device it's fairly trivial to pull encryption keys out of memory. There are ways it can be mitigated, but that is not the reality we live in right now in terms of hardware security.

But there is not much on a phone that I would tolerate using if I had to type in a password every time I needed to access it. Usability easily trumps security in this regards.

Remote wipe is really a pretty good way to keep your stuff safe. Cell phones are stolen very often, smart phones are even more attractive targets. People frequently leave their phones laying around and forget them in public places. People leave them on all the time.

If I was a business type guy buying phones for my employees then it would be a invaluable feature.

For my personal use it would be a invaluable feature.

The problem is not that there is a remote wipe. The problem has to do with who is the one in control of it.

That is true with most stronger security schemes. The problem is not that they exist or that they are effective or that they can get used... the problem is the people who have the ability to use them. That is: somebody other then the property owner.

Remotely wiping mobile phones by cancelling decryption keys

Posted Sep 15, 2010 21:19 UTC (Wed) by neilbrown (subscriber, #359) [Link]

> One thing that your completely missing, however, is that people leave their phones on most of the time. Encrypted drives only work effectively if your system is turned off at the time it was stolen.

Alternate perspective is that encryption and never-turned-off make a good combination as then if your phone is stolen/lost all you need to do is remote-shut-down. If you still have the phone, this is just an inconvenience. If someone else has it, they lose any access to your data.

All the value of remote-wipe and almost none of the cost.

Remotely wiping mobile phones by cancelling decryption keys

Posted Sep 15, 2010 22:43 UTC (Wed) by drag (subscriber, #31333) [Link]

That makes a lot of sense there.

Remotely wiping mobile phones

Posted Sep 15, 2010 23:52 UTC (Wed) by literfizzer (subscriber, #31274) [Link]

I nearly got locked out of my own personal phone the day after setting it up to sync my calendar (not mail) from the Exchange server at work. The next day the phone prompted me for a password, but it didn't specify which one. It was obvious in retrospect, but at the time I thought it wanted the one of the SIM PIN codes or perhaps my Google account password.

It gives you 10 attempts; I finally figured out that it wanted the Exchange password on the last or second-to-last attempt. I'm not sure what would have happened if I hadn't gotten it right, but I'm guessing my phone would have been wiped.

The password prompt comes up every few hours now. It's a real impediment to usability, especially when the phone is first powered on. The phone is more or less nonresponsive for the first few minutes after the password prompt comes up.

It's a lot to put up with just to get my Exchange calendar into my phone, which contains no sensitive information.

Remotely wiping mobile phones

Posted Sep 16, 2010 12:17 UTC (Thu) by sjlyall (subscriber, #4151) [Link]

Actually force a PIN on the phone (so you have to type a 4 digit password into the phone when you wake it up) is another option. The company I work with forces this on phones that uses it's exchange servers. This idea is that you can't just pick up somebody's phone and start reading confidential email.

Have a look at this page for some information;

http://www.apple.com/support/iphone/enterprise/

The "Security Overview" at the bottom of the page has a quick summary of some things you can do via policy on the exchange server.

http://images.apple.com/iphone/business/docs/iPhone_Secur...

Remotely wiping mobile phones

Posted Sep 19, 2010 10:34 UTC (Sun) by Tet (subscriber, #5433) [Link]

I leave my laptop on all the time. Even when traveling it's suspended. Out of any modern device it's fairly trivial to pull encryption keys out of memory.

Trivial, you say? I'd be intrigued to know how you plan to do this. Any halfway sane Linux distribution requires the decryption password to be entered when resuming from a suspended state.

Remotely wiping mobile phones

Posted Sep 20, 2010 16:13 UTC (Mon) by pkern (subscriber, #32883) [Link]

While this might be true for hibernation (aka suspend to disk), I don't know of a Linux distribution that does it on suspend to RAM.

In theory it could instruct the kernel to wipe the encryption keys from memory at suspend time. However, the whole LUKS cryptsetup infrastructure runs in userspace to verify the correctness of the keys, which would require some parts of userspace in RAM to be working for key input. Chicken, egg.

But then this only applies to full disk encryption / root partition encryption, userspace filesystems like ecryptfs could get triggered to forget the keys and re-prompt the user, I suppose.

Remotely wiping mobile phones

Posted Sep 28, 2010 13:37 UTC (Tue) by robbe (subscriber, #16131) [Link]

The plan:
* instruct the kernel to forget device keys before suspending
* run a daemon that is able to ask the user for her passphrase, and reinstate device keys on resume
* run without swap, or mlockall() all participating daemons/applications

Remotely wiping mobile phones

Posted Sep 28, 2010 13:30 UTC (Tue) by robbe (subscriber, #16131) [Link]

I'd classify the difficulty as moderate, not trivial. See http://en.wikipedia.org/wiki/Cold_boot_attack
for details.

Remotely wiping mobile phones

Posted Sep 17, 2010 16:30 UTC (Fri) by PO8 (guest, #41661) [Link]

...and I'm not trying to figure out if I can afford an N900 to replace my G1; maybe also my boy's. Thanks much for the info!

I've been willing to put up with all the problems I've had with the Android because it's a convenient device in some ways and was given to me. I've always been uncomfortable that Google controls most of my data, though; this latest is just too scary to live with.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds