MDM gets hacked, users’ iPhones, iPads wiped remotely

One of IT’s security musts became a nightmare in a recent hack – one that has a major company trying its best to find a new mobile device management (MDM) provider. 

Insurance giant Aviva recently had more than 1,000 smartphones and tablets wiped remotely using what appears to be a Heartbleed exploit against its MDM provider, MobileIron.

Users were sent the following message on their devices:

it maks my hart bleed to say good by lik this, love u mobile iron

(All typos, misspellings and grammatical errors are the hackers’ own, for what it’s worth.)

After receiving that message, the phones and tablets were wiped before the MobileIron server itself was taken down. Customer data was supposedly not exposed.

MDM must-have goes wrong

By now, everyone in IT knows that remote wipe capabilities a must-have for smart BYOD policies. They protect your data from falling into the wrong hands if the device is lost or stolen.

But they’re also extremely unpopular with users. Most aren’t excited about turning over control of all their phone’s data to IT. And in a case like this, where IT wasn’t even the party that wiped it, these provisions are likely going to be less appealing to users.

IT’s not too happy either: If in fact the MDM provider fell to a Heartbleed bug exploit, that’s bad news. Months after its public disclosure, if the flaw is still being exploited, that means it either slipped by the MDM provider’s notice or is so complicated it still hadn’t been adequately addressed.

Now would be a good time to check with your security vendors to find out if they’ve been fully investigated and patched for SSL flaws. As you can see from this case, just one vulnerability could wind up being a giant headache and cost.