
MS Exchange “remote wipe” is a terrible, terrible bug - blasdel
http://code.technically.us/post/1109586140/exchange-remote-wipe-is-a-terrible-terrible-bug
======
kogir
Actually, this has existed since exchange integration was first added to
PocketPC (a _long_ time ago). It allows companies to control the security of
_their_ data.

Joining your personal phone to exchange is much like joining your personal
computer to the corporate domain. You don't do it unless you want corporate IT
to administer it and corporate policy allows it.

Edit: I sympathize with people who lost data, and do agree that the phone
should warn you before completing the join. That said, as a business owner, I
only allow exchange (and not POP or IMAP) for exactly this reason. I need to
be able to wipe the company data if a phone is lost, or someone is fired (and
not cooperative), etc. The real world isn't always nice.

Also, the full device wipe is by design, and the feature is called "Remote
_Device_ Wipe." The details can be found here:

<http://technet.microsoft.com/en-us/library/bb124591.aspx>

Note that the storage card is also wiped (where attachments and other
sensitive data may be saved).

~~~
ejdyksen
Correct. Don't blame the feature. It's designed to protect from lost phones.
Not only can IT wipe your phone (presumably at your request), but you can
actually wipe your own phone from Outlook Web Access.

What's interesting is this: the ability to hook up a phone via ActiveSync (the
protocol in question) can be configured _per account_. If IT did not want him
to hook up his phone, they should have not given him those rights. Wiping
devices like this is a bad idea.

But don't blame the feature.

(full disclosure: I work on the MS Exchange team)

------
patio11
Do folks here not work in a regulated industry? We went through a yearly
course on How To Not End Up On Front Page of The Paper For Leaking Customer
Information. One core part of that is putting up with a little hassle with
regards to managing one's cell phone, such as a) not using it for work if at
all possible and b) very carefully regulating what got saved on it if it was
used for work.

(Nobody at my office should have more than "P. McKenzie" and my phone number
saved on their phone. Including full name, email address, a photo, my address,
and the like would give me a cause of action against the company if the phone
was ever lost or if that information were misused.)

A smart device capable of downloading an email attachment could cause a multi-
million dollar incident if it was lost. All it would take is a bug tracking
system report with an attached file showing e.g. the wrong number of lines
printed per page of _radioactively sensitive customer data_.

~~~
wwortiz
> _(Nobody at my office should have more than "P. McKenzie" and my phone
> number saved on their phone. Including full name, email address, a photo, my
> address, and the like would give me a cause of action against the company if
> the phone was ever lost or if that information were misused.)_

That really can give you cause of action against a company?

In a similar matter what if I had all of that information on my personal
phone, am I correct in assuming that it shouldn't give you the right to sue if
that information were released. (As it assumes you either gave me that
information, or it was obtained through you in some way)

And in the case of the email attachment, if you are sending _radioactively
sensitive customer data_ in any way through email isn't that the real problem
and not that the phone could get out.

~~~
tptacek
No, that's not the real problem. The transmission of sensitive information
through corporate email is commonplace. Formally-classified protected
information like HIPAA PI or payment card data shouldn't, of course, be
emailed, but information that can be traced back to PI is sent routinely.

Regardless of whether it should or shouldn't happen, IT controls people have
to assume it will. The contract for syncing with a corporate Exchange server,
in many places, simply requires you to allow your phone to be wiped.

If you don't like it, don't sync with your company's Exchange server. What's
so hard about that?

~~~
hoop
> The contract for syncing with a corporate Exchange server, in many places,
> simply requires you to allow your phone to be wiped. > If you don't like it,
> don't sync with your company's Exchange server. What's so hard about that?

The problem that the posts points out is that there's no warning about this
"contract" whatsoever. No matter what mobile device I've ever used, I have
never, ever had a dialog tell me that by syncing my phone with an Exchange
server I'm letting my company's IT department hold my personal information by
the balls.

Additionally, we're talking about a lack of separation between two entities'
data (personal & company-owned data).

If I had a user access clause for my website, "by accessing content on this
website I am granted full access to indiscriminately wipe any and all data on
your device, belonging to me or not" and was given the capability to do it -
that would be ludicrous. The only difference I see is that I'm not in an
employer relationship with my users. Even still, an employer-employee
relationship with a company does not grant them the right to delete any and
all data on any device of mine.

Also, since we're in HN (startup city, what?) who has ever worked for a
startup that DISCOURAGED working from home on a personal laptop or having
access to email 24x7? I've certainly never worked for one.

~~~
tptacek
We simply disallow people working on company projects with personal equipment.

If I drank enough rye to kill the requisite number of brain cells required for
me to allow people to sync their personal gear with our IT, I'd definitely
tell people "we will be nuking your gear from orbit periodically as a
precautionary measure".

------
Niten
This is one of the reasons I use a third-party app (NitroDesk TouchDown) for
reading Exchange mail on my Android phone. If someone hits "remote wipe" it'll
only delete your Exchange data, the rest of your phone remains untouched.

[http://groups.google.com/group/nitrodesk/browse_thread/threa...](http://groups.google.com/group/nitrodesk/browse_thread/thread/231fc50e6337afe7)

The app doesn't have permission to wipe the entire phone even if it wanted to.

~~~
pclark
Can you store email/attachments/other information outside of the application?
If so that application is a massive security risk.

~~~
furyg3
This is crazy talk.

If it's a major security risk, don't sync it to someone's pocket. By syncing
it to someone's pocket... it's out. Especially if it's on their personal
phone, you can't control what they (or an attacker) will do.

Either that's an acceptable convenience / risk tradeoff, or it's not. If it's
not, you need to focus your efforts on tagging confidential data and keeping
it inside the "walls" of your organization... but that's not a technology
problem, it's a people problem.

~~~
pclark
syncing to someones pocket is fine if you can remote wipe it

~~~
furyg3
But you can't guarantee that you can wipe it. What if it's not connected to
the 3G network? What if the data has already been pulled off? What if it's
been copied to a memory card on the phone? What if the phone doesn't properly
implement this feature?

~~~
omh
If you're using a Blackberry then you encrypt the entire device. The entire
memory is encrypted with the device password and a wipe is triggered from too
many incorrect passwords.

I don't know if the Exchange devices do the same thing - our company requires
this kind of security, so we still only allow Blackberry.

------
pclark
Uhm. Data loss is a huge deal. HUGE.

This isn't an evil feature. It isn't a pointless feature. In fact it's a
critical feature in the running of an organisation.

Email. Calendar. Address Book. A gold mine of absurdly sensitive data.

If you want corporate email on your phone, expect to have the possibility of a
remote wipe.

It isnt Microsofts fault that people use it maliciously.

If you ask the user "do you wish to allow administrators to remote wipe your
phone allow/deny?" what do you think they'll click ???

People don't care about data loss. Educate someone on how to not lose data,
then a week later give them a laptop with a password protected screen
saver/login - first thing they'll try to do is remove password.

The amount of company phones I see with no passcode lock is astounding - I can
pick your phone up, forward emails to myself and have all your information.
Bang.

Don't think data loss is a big deal? If you google "PA Consulting" a top link
is how they lost a USB drive.

~~~
blahedo
> _If you ask the user "do you wish to allow administrators to remote wipe
> your phone allow/deny?" what do you think they'll click ???_

They will probably click "deny", and then not be allowed to connect to the
server. Problem solved!

~~~
caf
Exactly. It astounds me how many people are managing to miss this point!

------
raganwald
I'm confused by all the arguments that this feature should exist. Of course it
should exist. Re-read the OP: The bug isn't the remote wipe ability, the bug
is leaving it up to the administrators of the server to decide whether to
inform users that the feature exists.

Google decided to do an end run around Apple's lack of support for push
notifications by making Gmail an Exchange server. Until now, I had no idea
that by going along with this I was granting Google remote wipe privileges on
my phone.

Sure, Google do not appear at this time to want to wipe my phone for any
reason, but how is it that I've been unknowingly trusting them with this
power? This privilege is decidedly non-obvious. When I connect to an email
server I kind of expect that I'm giving someone, somewhere the ability to read
my mail. That's "obvious," and I don't need a warning dialog.

But what is obvious about granting Google the right to erase the pictures I've
taken of my father-son Lego Jawa Sand Crawler project? Or my voice memos? Or
the extensive notes I've been making of design ideas for my Javascript
framework?

Let's stay on topic, folks. The question to be debated isn't whether companies
should have remote wipe privileges, it's whether a device should allow a user
to grant such privileges without putting up a simple warning dialog.

------
xpaulbettsx
If an IT department did this to me without warning, I'd quit _that day_ ,
CC'ing my manager and the IT guy's manager telling them exactly why they'll
now have to spend months finding and training my replacement.

~~~
jodrellblank
I parked my personal car in the company fleet car garage and they clamped it.
I didn't understand what was happening and called the rescue company telling
them it had broken down and wasted lots of time.

This was so unfair I quit _that day_ , causing a dramatic fuss pointing out
exactly how much they'll suffer. That'll show them.

~~~
achille
Imagine today one of your employees quits on the spot, tells you he's quitting
because his car was clamped.

You have no idea who manages the parking lot, but now you just lost a resource
on your project.

How did your manager end up reacting?

~~~
jodrellblank
Not a true story, an attempt to frame the parent post I was replying to in a
different light to show how much of a prima Donna overreaction it would be,
and as you say, directed at the wrong people too.

------
ja27
Not sure about other Android versions, but my 2.2 warned me about this when I
set up my Exchange account. It also warns me about this every time it first
connects to Exchange after a reboot.

Not much I can do about it. I more or less trust my IT guys not to be dicks so
I don't lose any sleep over it. But short of carrying two phones, there's no
way for me to separate personal and work devices. I do keep a nandroid backup
on my personal netbook though.

~~~
theBobMcCormick
Vanilla 2.2 on a Nexus One here, no such warning. :-(

------
StavrosK
In defense of this feature, it's very important for when a phone is lost.
However, I agree, deleting peoples' data for reasons other than the device was
compromised is just a sadistic thing to do.

~~~
ams6110
Well, if people are using un-approved personal devices on the corporate
network, it seems there is some fault on both sides. Assuming there is policy
addressing this issue.

~~~
xpaulbettsx
Sure, but you send out an Email warning people first. There's no reason to
wipe people's devices unless they are willfully defying policy, and even then,
you've got a list of the people doing it - just go to their office and talk to
them in person (involve their manager if needed).

Wiping a personal device to "send a message" is passive-aggressive and totally
destructive to morale.

~~~
dedward
It's also quite likely completely illegal - warning or not.

It's a personal device - the company has no rights to it.

~~~
jodrellblank
Then it has no business being borged into the corporate IT system of a company
which demands rigorous enough control of data to use remote device wipe.

------
tomjen3
Bug? No this was done intentionally.

Does anybody know how you disable that "feature"? Preferably in such a way
that it causes maximum harm to the organization that uses it.

~~~
dablya
Don't connect personal devices to corporate exchange?

~~~
tomjen3
Look I have a degree in Computer Science, I wrote software to send the strings
necessary to use IPOP, heck I even memorized the RFC number (1939).

And in all this time, never did I once see anything on that protocol that
could do anything more than download mail and delete the mail you had in your
account.

So I hear about Exchange and figure "oh just another protocol MS came up with,
properly has extensions for calendars and stuff".

Now if I don't know this is going on, how can anybody know?

It would be one thing if the device said "by connecting to this system, you
allow it to removely wipe this device allow/deny?" but it doesn't.

And that is criminal.

~~~
megablast
No, it is not criminal, it is an essential component of ensuring security in
lost devices. It would be completely useless if it asked if it was ok to wipe
the device.

If you are unable to understand that Microsoft added a lot of stuff to the
exchange protocol, and this is one of them, perhaps you are in the wrong
field. This is not top secret information, it has been around since Windows
CE, and is requested by all big businesses.

~~~
extension
It's my phone, my property. Nobody gets to access it without my permission,
period. If someone sneaks a back door onto my phone, that is criminal.

If experienced developers don't know about this feature, there is no earthly
way that the average user can be considered to have consented to access.

My boss can't kick down my door and ransack my house to find secret documents
he gave me. If I violate my NDA, he can seek to remedy that in civil court.

~~~
jodrellblank
_It's my phone, my property. Nobody gets to access it without my permission,
period._

And by connecting to ActiveSync you are telling your phone to "do ActiveSync
things" and that includes letting it push policies such as "require a
PIN/Password" and "be erased when needed". That you didn't know it meant that
is not really grounds for saying it's criminal or whatever.

Hey, you know one earthly way you could know about this feature? Asked. "Hey
IT people, can I connect my home phone to my work email? What should I know?".

------
avar
So to connect to an Exchange server in iOS, Android or WebOS you have to give
the server root on your phone? What sort of crazy security policy is that?

~~~
mike-cardwell
Just use IMAP instead. There's no remote wipe protocol in IMAP.

~~~
CallumJ
That's if the Exchange server hasn't been configured to ONLY allow ActiveSync
connections.

------
Poiesis
I had no idea there were so many people unfamiliar with secure networks.
Anyone who is anywhere near U.S. govt classified networks knows that if they
hook up their device up to one of them, they will be lucky to get their
equipment sans storage media--and quite likely delivered with a pink slip.

Corporations may not have national security in mind when they protect their
data but _to them_ their data is every bit as important.

What I want to know is, can Google wipe my iPhone if I have Exchange synching?
Looks like that's a "yes". How about an option to wipe my device, myself?
Wouldn't mind getting that without paying for Mobile Me.

~~~
omh
I believe that Google Apps now supports remote wipe
([http://www.google.com/support/a/bin/answer.py?hl=en&answ...](http://www.google.com/support/a/bin/answer.py?hl=en&answer=173390)),
but you need to pay for a premier account. A better deal than Mobile Me, if
that's all that you want.

------
16s
He's blames the remote wipes on the local IT guys. Calls them sadists. But I
bet they are just doing what their corporate policies _require_ them to do.
The policies are written by the suits in management, not the local IT guys. If
you want to bitch, bitch at them.

~~~
tomjen3
Why not just bitch at them both? And then call the police on the IT guys,
since they just hacked your device.

Doing your job isn't an excuse.

~~~
megablast
As far as they new, someone was hacking their servers, downloading
unauthorized emails. This is completely what you would expect them to do.

The fact you can't see this, and change your world view to understand what is
really going on, suggests that you are very young and being unreasonable.

~~~
rbanffy
> This is completely what you would expect them to do.

And, sure, they expect evildoers to be using software that honors a remote-
wipe command. Yeah, right.

------
jey
Is the "remote wipe" command really supposed to delete all the data on the
device? It sounds to me like it's meant to erase just the data associated with
the Exchange account, but that the implementors misinterpreted it to mean
"erase the whole volume".

~~~
jackvalentine
Yes, because once things hit your exchange account they can leak all over the
phone. Attachments stored on it's flash storage/SD card and the like.

------
arethuza
Maybe it's because I've had a reasonable amount of exposure to the security
measures taken by large companies (and the associated unpleasant legal
measures that can be taken) but I follow these rules:

\- No corporate data on personal devices (not even email)

\- I expect to be given a work smartphone

\- I use my own phone and iPad for personal stuff

\- Assume that anything you do through a device attached in any way (even a
VPN) to a corporate network may have _everything_ you do monitored

Of course, these rules apply mostly when you are working for a large company,
but even when you are in a startup you occasionally may have to work at a
client site - and often these _are_ large corporates.

------
kuahyeow
At first read it seems like a normal, in fact, useful feature, but the key
line is this:

"When he turns it back on, it’s back to factory defaults. All the settings,
apps, and data have been erased. wtf?"

Major case of Exchange over-reaching and wiping more than just Exchange data
!?

~~~
jackvalentine
As has been said elsewhere in the comments, it overreaches because once that
data hits your phone it can leak in to other applications, the phone can store
attachments on it's flash storage or the SD card, etc.

------
runjake
This is a feature, not a bug. If you don't want your personal device to fall
under your organization's security policy, don't connect it to your
organization's Exchange (or any other) servers.

It's saved our bacon in regards to stolen devices a few times.

------
eitally
The problem is that right now there aren't granular enough controls of remote
devices to allow people to adequately differentiate between approved ones and
illicit ones. The fault lies on both the side of the client device software
and the server side software.

The same goes for Gmail (Google Apps Premium Edition only) and Android (or
anything else using Google Sync). You can enable/disable IMAP & POP for the
domain and if you enable it you open the floodgates. You can selectively
enable/disable users via API but they can toggle it back on their own. If you
setup Google Sync instead of IMAP/POP you can remotely wipe devices but you
can't do anything except wipe everything and there is no inbuilt method to
notify the user first.

Exchange, as described in the blog post, is equally bad. I'm confident things
will improve in 2011 but it's unpleasant right now. The best thing companies
can do is to set a clear policy on what's allowed and what isn't based on
their data security needs, and never violate the users' trust.

~~~
lovskogen
So even using a GMail account on my iPhone will allow someone (Google) to
remote wipe?

------
dtsingletary
One point not being made here is that nearly every wireless carrier requires
you to add an Enterprise Data Plan to your service in order to use an Exchange
connector. AT&T requires this with the iPhone. Verizon, T-Mobile, etc. all
require it for the Blackberry. I haven't heard of a single device/provider
that doesn't require an elevated service level to allow for enterprise mail
access.

So there's a security by obscurity to start with: the average user doesn't
know to ask for the Enterprise plan, let alone what Enterprise even means in
context. So the scenario here requires that a) the salesman talked them into
it, b) they bought into that service for the extra $15 on top of the data
plan, or c) they consulted with the company's IT department or policies and
knew they had to get that service. If they didn't, they simply cannot connect
to the Exchange account. There's very little "oops, I didn't know what I was
doing" here. I hope that most companies have a clear policy against checking
your work e-mail from personal devices, and on your own time. There are legal
implications for overtime pay. We may look the other way in startups, but this
can't always be done.

Most law firms require this, unilaterally. It's part of the deal-- we'll pay
your enterprise data plan in exchange for knowing that we may wipe the device,
control which apps you can install [this is another can of worms], so on and
so forth, per the requirements of malpractice insurance and data security.

In a perfect world this wouldn't be required, but I think we all know this
can't possibly be the case in many industries.

~~~
Lazlo_Nibble
Ugh--sorry for the inadvertent downvote. My bad.

~~~
v21
I upvoted to cancel you out.

~~~
dtsingletary
I get the point the guy was making, but it seemed a little dickish. Thanks.

------
kabdib
I once lost my phone, with work email on it. I used the remote wipe as soon as
I knew the phone wasn't coming back.

Someone had gone to the trouble of keeping the phone charged; it got the wipe
a good 24 hours after the battery should have died.

I was very, very happy the facility was there.

------
extension
Can someone confirm that the remote wipe actually works as described on each
mobile OS? And that it can be done through a Google domain just by using their
sync feature with a company account?

~~~
jodrellblank
This is remote wipe as used by Microsoft Activesync and mobile OS's which
support Activesync (Windows Mobile, iOS and Nokia with third party
extensions). What do Google domains have to do with it?

~~~
rdouble
Google for Domains uses Activesync to do push email.

~~~
jodrellblank
Ahh.

------
T_S_
Seems like we need something like vmware on phones. Then I can run the
company's phone on my device. They can wipe, er, administer it any way they
must. And I can still have one phone.

~~~
timthorn
You appear to be talking about ARM's TrustZone technology.

~~~
T_S_
I'm not. I'm just a dumb user waiting for my data to be unexpectedly wiped.
Thanks for the pointer. What does it do?

------
JohnnyBrown
So, is there a way to safeguard against this? I assume when I connect to an
exchange server at home it doesn't have root access to my laptop, right?

~~~
raganwald
Amazed your question doesn't have upmods, it's very original.

Can my personal laptop be remotely wiped if I connect my email client to an
exchange server? If not, why not? It seems to me that a laptop is even more
likely to leak sensitive information out of email, like spread sheets and word
documents.

------
omh
I'm a sysadmin at a place that wants this sort of protection, and historically
we've only used Blackberries. Now that lots of people have iPhones, I'm
explaining the "remote wipe" situation pretty often.

The best compromise I have at the moment is an iPhone optimised web interface.
This lets you get your emails on the device without (much) danger of them
ending up saved there.

------
funkdobiest
So our company will not let iPhones connect to the Exchange servers from
outside the corp firewall. Solution: Set up a separate mailbox on an external
web host and use an exchange rule through Outlook to redirect emails to that
address, all the while filtering for things like confidential or classified
documents, and check the mail from my phone.

------
yason
What is the offending module or piece of software on, for example, Android
that does this? If it's an Exchange specific thing and works on many phones,
why does it come preinstalled with root access and can I just disable or
enable Exchange support to be sure nobody ever nukes my phone?

------
lurkinggrue
This person seems to have issues.

------
napierzaza
I work in IT and my boss is precisely like this. We don't manage mobiles but
wireless. He's talked about scanning the multi-campus network to find
unauthorized microwaves that he can have removed.

Because of course, it might cause _some_ interference for 30 seconds at a time
right? Yeah.

~~~
dedward
If you are in the US, it's likely illegal for your boss to try to regulate
microwave ovens based on causing wifi interference - that's solely the job of
the FCC.

The regulations that allow the use of 2.4Ghz ISM band require you to accept
that interference....

~~~
jonknee
... Not if the microwaves are in your control. You can certainly police
microwaves on your own campus. (Not that this is an intelligent idea.)

~~~
winthrowe
<grumble>I think it's an intelligent idea if you're providing blanket coverage
and idiots are setting up their own linksys's that can't even dhcp on due to
mac filtering. </grumble>

~~~
jonknee
What does that have to do with hunting down microwave ovens?

