I'm going to talk about something I don't normally discuss; smart phones.
I'm an avid BlackBerry user and would probably be lost without access to it but I've been thinking more and more about the security implications of using a smart phone for enterprise applications.
The BlackBerry is the king of enterprise phones, designed with the enterprise in mind and end-user features tacked as an afterthought. The iPhone, on the other hand, cleans up with average users and enterprise features were thrown in afterward. Either way, both phones ended up with a feature that has lead to them being declared "fit for the enterprise"; remote wipe capabilities. This feature, for those that don't know, allows you to remotely wipe a phone that has been lost or stolen.
I can't help but wonder if we rely too heavily on this feature. The concept of a remote wipe requires remote connectivity. Remote wipe might be sufficient for a phone that is accidentally lost, or randomly stolen, but this isn't really the cases where your data is at risk. The real risk comes from targeted attacks, where the thieves know exactly who's phone they're taking.
It's really no different from any other aspect of enterprise security in the cyber age. Targeted attacks contain the most risk -- Aurora was a great example of this. So how useful is a remote wipe when you're looking at a targeted attack? The answer is pretty simple, it's not.
Let's set up a scenario. If I'm an attacker and I know the phone I'm going after, I'm going to do my homework. I'm going to identify my target, find the best time to grab the phone and try to get it without the victim noticing.
My first move after acquiring the phone (or possibly even before acquiring it) is going to be to neutralize the remote wipe capabilities. I can do this with a $20 cell phone jammer easily purchased on the internet. If there's no signal to the phone, there's no way to remote wipe it. Since this is a targeted attack, I'm not going for the phone as a device to get free calls. I'm going after the data stored on that phone.
One of my colleagues pointed out that most of these devices have passwords and these passwords will wipe the machine after a specific number of failed attempts. My counter to this logic is as follows: In a targeted attack, I'm going to be watching you and paying attention, I'm going to finding out as much information about you as possible. I imagine I'd have a fairly good idea of what your password is, either by learning about you (how many employees passwords can be found by viewing their Facebook page?) or by watching you. Mobile devices don't do much to prevent shoulder surfing. In fact, given their constant use in public, they actually encourage it. With the numeric option on the iPhone or even the alphanumeric option of the BlackBerry, I won't have to watch you for long to determine your password, or at least a close guess at it.
The original iPhone release was deemed "not ready for the enterprise" because it lacked a remote wipe capability. Once Apple added this feature there were a lot of articles saying the iPhone was "now an enterprise tool".
I think that this mind set offers a false sense of security. If we're really relying only on remote wipe as a valid security method for targeted attacks we aren't very well protected. We have to come up with something better. Remote wipe provides peace of mind only for accidental loss or random theft of a smart phone and nothing more.
Comments (1)
I think for the majority of enterprises, a remote wipe capability is just fine. I know my organization really doesn't have much issue with targeted attacks, especially those dedicated enough to pursue getting that unlock password. Therefore, I really do think it is possible that remote wipes can be just fine.
Remote wipe + local encryption + password to unlock which also wipes after 10 tries....that's not an approach I would necessarily want to start attacking as "wrong."
Sure, like DLP we can think up scenarios to defeat it, but perhaps enterprises shouldn't think of smartphones as being necessary for high profile people (which of course is the opposite market that the Blackberry caters to, for instance) that might actually be targeted.
Especially since the only options I see otherwise would be 2-factor auth with all data stored in "the cloud" making the device mostly expendable. Even still, what about stealing the device and the second factor and not reporting the theft quick enough to lock an account?
But that really sucks when so many people have personal smartphones that get connected into the enterprise. I certainly don't want to store that personal stuff as well as business stuff.
To veer totally off into the woods at a violent angle...maybe this whole idea of keeping information private is slowly going to have to erode away. I know the hacker ethic (if I may borrow that term) supports the idea that information tends towards freedom. Maybe that's the long-term trend we're starting to deal with now...I mean, the point of these smartphones and the business and this protection is all about keeping secrets secret (and to a lesser degree because it's harder, making sure what you do get you can trust the integrity of).
Nice post, and good thoughts to share! :)
Posted by LonerVamp | June 9, 2010 8:04 AM
Posted on June 9, 2010 08:04