Unless a lost smartphone or device is recovered pronto, remote phone lock should be followed by remote wipe. Here again, there are many products and
For example, BlackBerries configured with a "Remote Wipe Reset to Factory Defaults" rule can delete applications and data upon command by a BlackBerry Enterprise Server. Smartphones that speak Exchange ActiveSync (e.g., Windows Mobile, iPhone 2.0+, or Nokia Series S60 3rd edition) can be remotely wiped by administrators (via Exchange Server 2003/2007) or end users (via Outlook Web Access 2007). Several other vendors provide agent-based remote wipe functionality, including Absolute Software Corp., F-Secure Corp., Trust Digital, Good Technology Inc. and Zenprise Inc.
These solutions are generally geared for large enterprises that must manage and secure hundreds or thousands of devices. But what can a small business without its own Mobile Device Manager or Microsoft Exchange server do to enable remote wipe on employee smartphones? Fortunately, there are several alternative remote wipe solutions that can be used on a far smaller scale and budget.
- Absolute Software's Computrace Mobile can be purchased as an online service by companies with a minimum of 10 Windows Mobile and/or BlackBerry smartphones. Account administrators can view smartphone asset reports, historical and current location maps, and remotely initiate "Data Delete" commands to securely wipe some or all files stored on the device the next time it connects to any network. The Computrace Mobile agent "phones home" to Absolute Software to confirm when a Data Delete has finished, enabling generation of audit reports.
- F-Secure's Mobile Security can be purchased as a standalone device-resident product for deployment on individual Series S60 3rd edition and/or Windows Mobile smartphones. Anyone can invoke device lock or secure delete operations on a configured phone by sending an SMS message containing a user-defined PIN. Smartphones can also be configured to automatically lock if the SIM card is removed. Centralized asset tracking and reports are available through a Web portal for larger enterprise accounts only.
- Kaspersky's Mobile Security is also sold as standalone software for Series S60 3rd edition and/or Windows Mobile smartphones. Once installed, the program can be used to send a specially crafted SMS message containing a user-defined security code to any other smartphone running Mobile Security. These messages can be used to "block" (lock), "clean" (wipe), or "watch" (detect SIM removal). In addition, a "find" command can ask a WAN-connected GPS-enabled smartphone to return a Google maps URL depicting its current location.
- Apple's MobileMe can be purchased as an online service for individual iPhone and iPod Touch devices equipped with the iPhone 3.0 OS. End users can log into the MobileMe portal to invoke Find My iPhone and Remote Wipe commands -- provided that the target is currently Internet-connected and using the SIM originally used to register the device. In addition to mapping device location, the Find command can also display a message and play a sound on the iPhone in hopes of prompting its return.
- The online Profile services included with Palm Pre smartphones can be used by the owner to invoke a remote wipe of SMS messages, which deletes all user data stored on an actively connected device, including files stored when using it as a USB drive. If a lost Palm Pre is later found, files can be restored over-the-air from a previously generated Profile service backup.
- As previously noted, remote lock and/or wipe commands can be initiated by the BlackBerry Enterprise Server or Microsoft Exchange 2003/2007 Server. Small businesses that don't want to install and operate their own servers can purchase these capabilities in hosted services from many sources, including 123Together, ExchangeMyMail, Link2Exchange, Mistral and some wireless carriers. For example, an ExchangeMyMail small business administrator can log into a Web portal, click on any BlackBerry carried by an employee, and invoke the Remote Wipe command.
Some scaled-down remote wipe solutions sacrifice the centralized provisioning and reporting features found in enterprise solutions. But these features may or may not be important to midmarket businesses, depending upon workforce size, industry, reporting requirements and risk tolerance.
Beyond this, consider your technical requirements for remote wipe. Do you need to wipe selected folders and/or removable media, or will wiping the entire smartphone (bricking the device) mitigate your risk? Do you require secure delete (e.g., repeatedly overwriting stored data to prevent forensic recovery)? Do you require positive confirmation (via report or email) that the wipe completed? If a lost smartphone is later recovered, how can you restore an earlier data backup?
Finally, bear in mind that remote wipes -- especially secure deletes -- can take a while to finish. Examine any solution you might be considering to understand what happens if a thief disables the smartphone's radio, removes its SIM card, hard resets the device, tries to uninstall a device-resident agent, or interrupts a remote wipe that is in progress.
A recent Harris Interactive Inc. study, sponsored by Cloudmark Inc., found that security concerns prevented 46% of users from performing sensitive operations on their smartphones. Deploying measures such as remote lock, geo-locating, and remote wipe can help businesses overcome these fears and tap the full value of workforce mobility. As the above examples illustrate, midmarket businesses shouldn't assume they cannot afford such measures. If your company does not already have a smartphone theft response plan, dig into these best practices and put a solution in place before it's too late.
Lisa Phifer is vice president of Core Competence Inc. She has been involved in the design, implementation and evaluation of networking, security and management products for more than 25 years, and has advised companies large and small regarding security needs, product assessment, and the use of emerging technologies and best practices.
Send comments on this technical tip firstname.lastname@example.org.
This was first published in July 2009