Upload
claus-cramon-houmann
View
179
Download
3
Tags:
Embed Size (px)
DESCRIPTION
My presentation describes the limitations of the Mobile device (not laptops) remote wipe functionality
Citation preview
1
GEM Forum 2012
The unspeakable pitfalls of mobile securityClaus Cramon Houmann, Head of IT, Banque Öhman S.A.
2Öhman
The unspeakable pitfalls of mobile security
Agenda for today:• The Mobile Security Pitfall • How to Avoid the Pitfall• Your Next 6 Months
3Öhman
Why this subject?
• Topic is never fully discussed; always briefly broached• Important pitfalls exist that need to be reflected from a
Risk Management perspective• Understanding the risks/pitfalls aids overall security
4Öhman
Implementing a MDM – what Vendors tell you
• Quote from ”A Director, IT”, quote found online :– “Using (this company’s) native mobile apps, our teams
really appreciate being able to securely collaborate on contracts and engineering plans with internal and external business partners. (MDM’s) ability to wipe the device clean remotely any time a device is lost or stolen adds another level of security protection against a possible data breach”.
• This is just 1 example where vendors sell on the fact that devices can be wiped ”easily” or ”any time”
• For employee-owned devices (BYOD) vendors also stress the fact that devices can be wiped
5Öhman
Remote wiping – an unspeakable security pitfall?
• Reasons why remote wiping should not be the factor that lets you sleep at night:1. How to avoid the wipe happening (and what does it take
for it to work)
2. If a device wipes, is the information gone?
3. If a device wipes, is the data on it “safe”?
4. If a device wipes, is it even legal?
6Öhman
1. How to avoid the wipe happening (and what does it take for it to work)
OS: iPhone Wireless SIM Airplane mode Wipe Comments
Test1 No Yes No Yes Cannot cancel wipe command when wipe has been performed, the device must be deleted from the device list
Test2 No Yes Yes No
Test3 Yes No No Yes
Test4 Yes No Yes Yes Average time-until-wipe after sending command: 30 seconds, span fr5om 20-35 seconds
Test5 No No No No
A phone obviously must also have battery power left and be turned on for a remote wipe to workThere is no difference between iOS and others for the purposes of this test
7Öhman
1. How to avoid the wipe happening (and what does it take for it to work)
• This means that a remote will not work if:– A thief turns a phone off (which can be done without
entering the device password)– A thief removes the SIM card and walks out of range of a
known wireless network– A device is lost and runs out of battery– A device has been modified by a user in such a way that
the wipe command fails
• So what does it take for a wipe to work?– A powered on, recharged, unmodified device with a SIM
card or connected to a wireless network– Or device initiated Heartbeat failure based wiping
8Öhman
2. If a device wipes, is the information gone?
• Most mobile devices have flash storage and not harddisks, wiping these is more technically complicated – even if it wipes, it may not be wiped (source: See credits)
• Is a remote wipe of a harddisk secure?• Did the user copy/backup the data to local PC? Cloud
service? Private e-mail?
9Öhman
3. If a device wipes, is the data on it “safe”?
• Is the data even safe?– Unknowns exist for competitors/spies/hackers– Tools such as FinspyMobile exist to say “no” it’s not
• All current mobile devices have many potential security flaws– Pwn2own type competitions show devices hackable from
scratch in 2-3 weeks or less
• How soon after data loss is the phone wiped?– Even small delays can be critical if hack is detected at all
• Possibility for hackers to use remote-wipeable attacks
10Öhman
3. If a device wipes, is the data on it “safe”?• ...continued• Delays in notifying IT when losing a device are critical• Devices can give attackers remote-wipe capabilities due
to flaws
11Öhman
4. If a device wipes, is it even legal?
• Most MDM’s remote wipe all content undiscriminately– In some countries this is a breach of privacy laws even if the
user has consented• Quote:
– Invasion of Privacy by Offensive Intrusion (The defendant invades the plaintiff's solitude, seclusion, private affairs or personal concerns)
– Trespass to Personal Property (The wrongful dispossession of a person's personal property)
– Conversion (Generally, conversion involves a misappropriation of plaintiff's property to the use of the tortfeasor or wrongdoer
• This quote was taken from Thomas Porter (see credits). Note that this analysis of the legality is for US laws only
12Öhman
How to avoid the remote wipe pitfall?• MDM with secure containers for corporate data
– Ability to wipe only corporate-related data– Secured container adds depth if remote wipe fails
• User and Company policies to only allow approved information and apps/funtionalities on a mobile device– Does your user really need Facebook and Pandora?
• Train users to be aware of having to react with speed if a device is lost
13Öhman
What should you do the next 6 months? Risk Management perspective
• Security pitfalls memntioned are widely ignored in Risk Assessments around the world
• Any data put onto a mobile device should be considered already made public on the Internet in Risk Assessments
• BYOD is not a security evil but poor implementation and a lack of Risk Assessment can be
• Re-do your risk assessments until you can justify smartphones/BYOD, if you do NEED to justify these
14Öhman
What should you do the next 6 months? Risk Management perspective
• Once you re-do your Risk Assessment, changes should be reflected in your production environment – Communicate results to the relevant parties within your
organization and obtain any relevant authorization – Change technical security policies in MDM (or get an MDM
if you don’t already)– Change internal policies such as Acceptable Use policy for
mobile devices/cloud services or similar internal policies– Enforce technical changes throughout the organization
and audit this– Train users and perform security awareness training
15Öhman
Credits
• Credits go to– Ryan Naraine for letting me use data from his article:
http://www.zdnet.com/the-fallacy-of-remote-wiping-7000000611/– Thomas Porter (
http://www.zdnet.com/the-fallacy-of-remote-wiping-7000000611/ is his editorial)
– Fortinet (provides data support to http://www.zdnet.com/the-fallacy-of-remote-wiping-7000000611/)
• About the Author:– Claus Cramon Houmann lives in Luxembourg and works both for
Banque Öhman S.A. and for his own company, ImproveIT Consulting. You can contact me:
• Twitter: @claushoumann• Email: [email protected]