We’ve long alluded to the fact that mobile device management (MDM) has its limitations for both businesses and their employees. But hey, don’t take it from us….hear what the Supreme Court had to say in its recent ruling against cellphone searches without a warrant.
In the opinion statements, Chief Justice John G. Roberts rejected the argument that evidence won’t be able to be preserved by the police due to phone wiping or encryption:
Remote wiping can be fully prevented by disconnecting a phone from the network. There are at least two simple ways to do this . . .
He then goes on to describe the two ways:
First, law enforcement officers can turn the phone off or remove its battery. Second, if they are concerned about encryption or other potential problems, they can leave a phone powered on and place it in an enclosure that isolates the phone from radio waves.
The last bit describes the use of Faraday bags, which the Court goes on to explain in more detail.
(As a side note, it’s true that shielding the phone within a Faraday bag would prevent a remote wipe. However, such a technique would not prevent encryption from rendering the data unreadable.)
The bottom line – even the Supreme Court realizes that “wiping a phone” (the primary security defense used by MDM) is easy to circumvent and can’t be relied upon with a high degree of confidence.
While many IT admins may look towards remote wiping as a tool for BYOD security, it shouldn’t be the main piece of arsenal. At the end of the day, there are alternative methods of protection, such as keeping corporate data off the device and disabling access if the phone is lost or stolen.
What’s your take? Is remote wiping an effective or overrated security practice?