Hello trewmte,
thanks for the amazing write-up and I completely agree with the implementations that you suggested. But my question remains
Most people use a classical 4-digit pin number to protect their device (longer passwords are harder to remember, and also a hindrance to usability according to casual users), this comes down to brute forcing only 10,000 possible combinations which is trivial for a computer to process.
I'm not too familiar with blackberry devices, but as an incumbent in the corporate environment, I'm pretty sure BB devices have their security pretty much setup from long years of experience. My focus is more on the iPhone/iPad and the multitude of Android devices out there. As you all know, these devices were released as casual consumer devices, and slowly shifted into the corporate environment with the rising trend of BYOD.
So, even if your device is password protected, and has a "x number of entry attempts or wipe" policy associated with it, I could easily put the device, let's say into "recovery mode" (e.g. DFU mode for iPhone), brute force your PIN number in hopes of cracking it, and dumping a physical forensic image of the device for me to analyze.
I am also interested in a "secure wipe" for mobile devices. I mean the iPhone erases the keys, that's great, but let's say in the near future (although unlikely) some flaw in the AES algorithm gets published, now I have your encrypted data and can use that flaw to decrypt it.
What we need is a completely secure erase that wipes the data on the device never to be recovered again.
Most people use a classical 4-digit pin number to protect their device (longer passwords are harder to remember, and also a hindrance to usability according to casual users), this comes down to brute forcing only 10,000 possible combinations which is trivial for a computer to process.
If I may, if you lock the phone after three (or five) failed attempts (just like the PIN does and then you need the PUK), even a 4 digit may do.
I may state the obvious ? , but for smartphones a combination of facial recognition AND PIN might be an option.
Facial recognition alone, doubtly so
http//
jaclaz
For authentication, something I am currently working on a beta for is EyeVerify. I should stress this is not my product nor affiliated with my organisation. This solution uses eye vein biometrics much like a fingerprint but without the need for any additional equipment, just the devices camera. The product is not GA yet but I know they are working with the key MDM providers to integrate the solution into their products. You can find more info here
http//
With regards to securely wiping a device, the only handsets I have discovered that actually do this are BlackBerrys.
Integrating something like Jonathon Zdziarski's iErase into the actions performed by x number of failed password attempts may help, however this only looks at free space on the device. The reality is deleted data will still reside within live files on the device and the tool is unable to touch this. More info here
http//
Even when a selective wipe is performed by an MDM solution data will still remain on the device, particularly iDevices. This is partly due to the way the selective wipe is enacted. Removing the email profile may make the profile disappear on the device rendering the mail application UI un-usabe to the user, however underneath the skin all email data remains. Add to this the way that the SQLite databases work on the device and it is still possible to recover other exchange data from the live files still resident on the device. So, in short, a selective wipe achieves very little to protect corporate data from a persistent malicious 'spy'. The best way to protect the data - as was already - mentioned is to use a secure container which is independently encrypted on top of the device level encryption. However, as was also pointed out the encryption keys must be on the device somewhere. So, we need to look at only allowing specific device types to enrol in the MDM solution to prevent being able to circumvent any kind of device level passcode cracking and ensuring that enforced passcodes are part of the organisations mobile policy. For iOS this means disallowing anything other than iPhone 4S or iPad 2 or newer devices as it is not possible to load a RAM disk on these and attack the passcode unless the device is already jailbroken and SSH happens to be installed. MDM solutions have the function to prevent specific makes, or even OS versions from enrolling ensuring that sensitive corporate data never makes it down to easily compromise-able devices. They also have the capability to identify and act upon compromised (rooted/jailbroken) devices.
Android is a different kettle of fish altogether. Samsung are to soon to release their 'Knox' container for supported devices which will create a protected and encrypted partition on the devices for corporate data. The security is good enough that the US DoD have approved these devices for use by soldiers for BYOD and company liable devices. This supports the position that the 'Knox' solution has gone a long way to providing solid security on this platform, at least for Samsung devices. However, again the keys must be there somewhere.
Unfortunately the keys have to be stored somewhere, and even if they were not stored on the device but say, the device received the keys over the air each time an encrypted application was used they would still need to cached on the device in order to be used by the application, and on top of that the user would have to be online in order to do anything. This makes the aim of trying to encourage productivity of employees by facilitating BYOD or mobile working practices more of a challenge as there are still areas of poor reception, and how would someone work on a plane where there is no WiFi? There is no getting away from this. There will always be an issue with regards to key storage vulnerabilities IMO until there is a practical and cost effective way to use something like a CAC card or RSA type token which houses the keys, and application developers find a way to effectively use the keys and then scrub the memory where the keys were cached prior to use.
Like all things information security related a layered approach is required to ensure that IF someone can get into the device they need to be a specialist not just some have a go hacker who stumbles across sensitive data. The first layer being MDM to protect the device (which ultimately is a foundation and not the answer to everything) and then tie this together with MAM technology to protect the data. There are also companies currently working on VDI type technologies which house the data behind the corporate firewall and use applications on the device only as a viewer/editor and use a secure connection to tunnel back behind the corporate firewall. I am yet to evaluate any of these as right now they are not GA either, though they look far better than traditional VDI which is useless on mobile devices.
Any organisation which takes security seriously will apply data loss prevention technologies to ensure that the most sensitive types of data never make it to the mobile device in the first place. Whether that be by using a dedicated DLP solution or for example simply disallowing email attachments to be pushed to mobile devices for example. An organisation can have an assessment conducted on the devices they allow into their environment to understand the weaknesses of the devices and the time it would take to exploit them. Next perform a risk assessment and adjust their practices and policies accordingly.
Risk assessment IMO is a key step. If the company knows their devices are vulnerable but that it will take 6 months to exploit that vulnerability, and they know that the sensitive information they have on the devices will only be valuable to an attacker for 3 months then there is ultimately less risk than if those figures were the other way around.
Thanks
Thanks Colin for that wonderful reply, very informative indeed!
I agree that key storage is a big issue in not just mobile devices but in all aspects of secure computing, one always has to apply due diligence when storing the encryption key.
I think iPhone models after 4 have done it pretty well as they store the master keys in the CPU (or in the hardware somewhere) and they cannot (currently) be extracted via any software tools that I'm aware of. As you have also pointed out, MDM softwares are not meant to be sold as security software but as a means of simplifying BYOD and device enrollment, security is just a necessity that usually comes packaged with the software. How well they implement it, is still to be determined. Doing a quick look around, you can find ways to bypass jailbreak detection, because what the software usually does is search for the 'su' binary under certain directories, and there are a gazillion ways to jailbreak your phone (just head over to XDA developpers to see for your self).
Secure containers are a step-up, but again, the keys have to be somewhere. I have personally extracted keys for my TrueCrypt container and successfully decrypted the encrypted container to a raw image file, which I was then able to mount and see the files stored in it. I am sure this is also possible for MDM software using the secure container defense. Encryption is only as good as the algorithm protecting it, and of course, on how well you secure the keys themselves. AES-128/256 still have a long way to go, in my opinion. before being broken. But the same was said for DES, until they had to close the door on it due to some scary vulnerabilities.
I find that the iDevices are a bit more secure at this time, due to the engineering of the device with security in mind from the get-go. I never heard of the new Samsung device you're talking about but it seems like they are also making a correct change in securing their device internally. The newer Android devices also support the native TRIM command for flash storage, this command would mark the pages that are no longer in use as 'invalid' and garbage collector would essentially purge them. However, the reliance on how securely TRIM erases data is yet to be determined. I tried it on my own Acer tablet and it worked more or less, but I was still able to recover some data.
I believe that the current setup of full-disk encryption + remote wipe is enough for corporate security, but if the device gets into the hands of a knowledgeable corporate spy with a plethora of resources at his disposal, then he would know how to counter corporate security measures and extract the data one way or the other.
Coming back to my main point, remote wiping is just not a viable solution because it is not guaranteed to succeed. If your remote wipe doesn't succeed, your device remains in the state it was stolen in. A better solution, in my opinion, would be for the device itself to 'phone home' at fixed time intervals, and after a certain amount of failures, it would initiate a 'local' wipe. A bit drastic as a solution, but still better than getting your sensitive assets into the hands of a thief.
Thanks
As you have also pointed out, MDM softwares are not meant to be sold as security software but as a means of simplifying BYOD and device enrollment, security is just a necessity that usually comes packaged with the software.
The security concern must be why even allow sensitive data on BYOD?
http//
A better solution, in my opinion, would be for the device itself to 'phone home' at fixed time intervals, and after a certain amount of failures, it would initiate a 'local' wipe. A bit drastic as a solution, but still better than getting your sensitive assets into the hands of a thief.
Interesting, but IMHO with a few practical issues.
How long would be the interval between two successive "calls home"?
(minutes, hours, days)?
How many failures before trigging the self-wipe?
The interval should be less than the time needed for the "corporate spy" to get access to the device and perform data extraction (with whatever means).
Possible accidents (first three that I can imagine)
- an employee goes (with the device) to a place when there is no coverage and stays there long enough to initiate the self wiping (let's say weekend on the Rocky Mountains or a few hours searching for an archived file in a remote warehouse)
- the cellular network has a failure
- the "corporate spy" places here and there (let's say at night at a few employees' homes) a form of signal suppressor/cellphone jammer (after three, four or a few more such devices self-wiping the software is removed from all devices)
jaclaz
jaclaz, I agree, that is why I said it is kind of a drastic measure. I firmly believe that if an attacker has physical access to your device, you can pretty much assume that your data will be compromised one way or the other.
For a device being used in a corporate environment, this could have dire consequences. That's why it would be a good area to research some more effective security measures if a device is compromised.
I firmly believe that if an attacker has physical access to your device, you can pretty much assume that your data will be compromised one way or the other.
Then an answer might be to have an internal clock that all business data which is limited to and graded to one single day of business information is deleted and overwritten at the end of each day. The business data containing no more than a few peices of a jigsaw. Also consider weighing up passwords vis-a-vis passphrases.
Generally speaking so this is not directed at your aims and objectives to find a security solution Alistair.
Is there really any need for the body corporate to be using Employee devices?
1) based upon the combination of sensitive data vis-a-vis determined thief; BYOD potentially increases the risk (caused specifically by company policy of the body corporate) on an employee being targetted?
2) BYOD containing work and personal data increases risk of profiling of an individual and potential of impersonation (relevant to the scale of the sensitivity of the data)?
3) who is actually paying for the running of the device, the employee or employer? Doesn't this increase the risk of libility placed on the employee?
In the above scenarios I haven't mentioned about
a) the risk where the thief requires physically attacking an employee for the device
b) nor have I mentioned the current stats where countries are now seeing an increase in mobile device theft.
c) insurance costs increasing.
d) post attack personal injury claims for compensation