MDM mayhem? New privacy fears raised over BYOD management

Security shouldn't ride roughshod over employees' privacy

Mobile device management (MDM) is, of course, a vital part of many organisation's security strategy with the rise of BYOD, but there's a flipside to this software with new research pointing to just how intrusive MDM can be when it comes to riding roughshod over employees' privacy.

This is according to Bitglass, a data protection outfit which carried out an experiment entitled 'MDMayhem' whereby it tracked the mobile devices of several volunteer employees using MDM software in a bid to see how far they could push in terms of compromising user privacy.

Bitglass notes that the MDM software was configured to install a security certificate to the devices and all traffic was routed through a corporate VPN, meaning the researchers could decrypt SSL traffic. This is a common setup with MDM to allow for the likes of sniffing out malware and similar dangers.

Privacy? Don't bank on it

The guinea pig users were tracked with this setup for a week, and the Bitglass researchers were able to view the staff members' personal email inboxes, social media accounts, and even username and password details used to login to sensitive accounts such as online banking. These login details were sent through the company network in plain text, too.

The software also allowed for the perusal of browsing history (and things like product searches on Amazon) alongside search queries, with the latter involving some health-based searches, another telling privacy infringement.

The researchers also said that communications sent by third-party apps could be intercepted, even on iOS where app sandboxing should theoretically help to protect privacy. Bitglass said it was able to read personal messages sent via Gmail and Messenger on iOS.

Furthermore, the MDM software could forcibly turn on GPS with a mobile device, without the user's knowledge, enabling the tracking of the employee's movements, not just inside but also outside of work time.

All this adds up to a very concerning level of privacy infringement. As Bitglass observes: "Without a security solution that respects user privacy, employees will simply work around IT." And in that case, nobody wins.

Via: Betanews