1

GEM Forum 2012

The unspeakable pitfalls of mobile securityClaus Cramon Houmann, Head of IT, Banque Öhman S.A.

2Öhman

The unspeakable pitfalls of mobile security

Agenda for today:• The Mobile Security Pitfall • How to Avoid the Pitfall• Your Next 6 Months

3Öhman

Why this subject?

• Topic is never fully discussed; always briefly broached• Important pitfalls exist that need to be reflected from a

Risk Management perspective• Understanding the risks/pitfalls aids overall security

4Öhman

Implementing a MDM – what Vendors tell you

• Quote from ”A Director, IT”, quote found online :– “Using (this company’s) native mobile apps, our teams

really appreciate being able to securely collaborate on contracts and engineering plans with internal and external business partners.  (MDM’s) ability to wipe the device clean remotely any time a device is lost or stolen adds another level of security protection against a possible data breach”.

• This is just 1 example where vendors sell on the fact that devices can be wiped ”easily” or ”any time”

• For employee-owned devices (BYOD) vendors also stress the fact that devices can be wiped

5Öhman

Remote wiping – an unspeakable security pitfall?

• Reasons why remote wiping should not be the factor that lets you sleep at night:1. How to avoid the wipe happening (and what does it take

for it to work)

2. If a device wipes, is the information gone?

3. If a device wipes, is the data on it “safe”?

4. If a device wipes, is it even legal?

6Öhman

1. How to avoid the wipe happening (and what does it take for it to work)

OS: iPhone Wireless SIM Airplane mode Wipe Comments

Test1 No Yes No Yes Cannot cancel wipe command when wipe has been performed, the device must be deleted from the device list

Test2 No Yes Yes No

Test3 Yes No No Yes

Test4 Yes No Yes Yes Average time-until-wipe after sending command: 30 seconds, span fr5om 20-35 seconds

Test5 No No No No

A phone obviously must also have battery power left and be turned on for a remote wipe to workThere is no difference between iOS and others for the purposes of this test

7Öhman

1. How to avoid the wipe happening (and what does it take for it to work)

• This means that a remote will not work if:– A thief turns a phone off (which can be done without

entering the device password)– A thief removes the SIM card and walks out of range of a

known wireless network– A device is lost and runs out of battery– A device has been modified by a user in such a way that

the wipe command fails

• So what does it take for a wipe to work?– A powered on, recharged, unmodified device with a SIM

card or connected to a wireless network– Or device initiated Heartbeat failure based wiping

8Öhman

2. If a device wipes, is the information gone?

• Most mobile devices have flash storage and not harddisks, wiping these is more technically complicated – even if it wipes, it may not be wiped (source: See credits)

• Is a remote wipe of a harddisk secure?• Did the user copy/backup the data to local PC? Cloud

service? Private e-mail?

9Öhman

3. If a device wipes, is the data on it “safe”?

• Is the data even safe?– Unknowns exist for competitors/spies/hackers– Tools such as FinspyMobile exist to say “no” it’s not

• All current mobile devices have many potential security flaws– Pwn2own type competitions show devices hackable from

scratch in 2-3 weeks or less

• How soon after data loss is the phone wiped?– Even small delays can be critical if hack is detected at all

• Possibility for hackers to use remote-wipeable attacks

10Öhman

3. If a device wipes, is the data on it “safe”?• ...continued• Delays in notifying IT when losing a device are critical• Devices can give attackers remote-wipe capabilities due

to flaws

11Öhman

4. If a device wipes, is it even legal?

• Most MDM’s remote wipe all content undiscriminately– In some countries this is a breach of privacy laws even if the

user has consented• Quote:

– Invasion of Privacy by Offensive Intrusion (The defendant invades the plaintiff's solitude, seclusion, private affairs or personal concerns)

– Trespass to Personal Property (The wrongful dispossession of a person's personal property)

– Conversion (Generally, conversion involves a misappropriation of plaintiff's property to the use of the tortfeasor or wrongdoer

• This quote was taken from Thomas Porter (see credits). Note that this analysis of the legality is for US laws only

12Öhman

How to avoid the remote wipe pitfall?• MDM with secure containers for corporate data

– Ability to wipe only corporate-related data– Secured container adds depth if remote wipe fails

• User and Company policies to only allow approved information and apps/funtionalities on a mobile device– Does your user really need Facebook and Pandora?

• Train users to be aware of having to react with speed if a device is lost

13Öhman

What should you do the next 6 months? Risk Management perspective

• Security pitfalls memntioned are widely ignored in Risk Assessments around the world

• Any data put onto a mobile device should be considered already made public on the Internet in Risk Assessments

• BYOD is not a security evil but poor implementation and a lack of Risk Assessment can be

• Re-do your risk assessments until you can justify smartphones/BYOD, if you do NEED to justify these

14Öhman

What should you do the next 6 months? Risk Management perspective

• Once you re-do your Risk Assessment, changes should be reflected in your production environment – Communicate results to the relevant parties within your

organization and obtain any relevant authorization – Change technical security policies in MDM (or get an MDM

if you don’t already)– Change internal policies such as Acceptable Use policy for

mobile devices/cloud services or similar internal policies– Enforce technical changes throughout the organization

and audit this– Train users and perform security awareness training

15Öhman

Credits

• Credits go to– Ryan Naraine for letting me use data from his article:

http://www.zdnet.com/the-fallacy-of-remote-wiping-7000000611/– Thomas Porter (

http://www.zdnet.com/the-fallacy-of-remote-wiping-7000000611/ is his editorial)

– Fortinet (provides data support to http://www.zdnet.com/the-fallacy-of-remote-wiping-7000000611/)

• About the Author:– Claus Cramon Houmann lives in Luxembourg and works both for

Banque Öhman S.A. and for his own company, ImproveIT Consulting. You can contact me:

• Twitter: @claushoumann• Email: cch@improveit.lu