Security "Bits"

6 ways MDM can be misused

By Salim Hafid | July 5, 2016 at 10:30 AM


MDM adoption is stalling due to privacy concerns and growing availability of agentless mobile solutions. While many employees understand that device management provides some visibility and control over their personal mobile device for security purposes, most are not aware of the extent to which MDM software can misused.

These are just a few of the capabilities we uncovered in our MDMayhem experiment:

1 - MDM allows for real-time location tracking in the background, without notifying the end-user. While intended to provide some recourse if a device is lost or stolen, such tracking can be incredibly invasive.

2 - On personal devices, employees often install apps related to hobbies or upcoming vacation plans. While not at all relevant to IT, mobile device management provides visibility into which apps are installed on employees' devices - another invasive capability.

3 - Built into every MDM solution is the ability to control every aspect of a mobile device and potentially restrict key features of a device. The ability to create a backup of personal photos and videos, for example, can result in the loss of personal data. 

4 - The ability to see and control laptops and desktops has long been a concern, often misused by hackers and other malicious actors. Unfortunately, mobile device management software has brought this capability to select mobile phones and tablets. While IT admins occassionally need access to devices, complete control is ripe for misuse. 

5 - Turns out mobile device management can force a device to always connect to a global proxy or VPN, forcing all traffic - personal and corporate - through the corporate network. Such a policy, used in many organizations, can be used to capture all packets and monitor browsing activity, including the contents of personal messages. 

6 - The most startling capability of MDM is the ability to capture user passwords. By pushing a custom certificate onto mobile devices and routing all traffic through VPN, a malicious individual can use MDM to see usernames and passwords in plain text.

Check out the full report to learn how MDM can be misused to expose personal data and what alternatives exist to protect mobile data without major privacy issues.

download the full report



see all