Opinion: When mobile device management becomes a malware distribution machine

What comes after centrally managed cell phones? Centrally managed malware! As the capabilities of smartphones continue to grow, they are increasingly being used in places where the most sensitive data lives. It is therefore completely understandable and sensible to manage and secure these ubiquitous pocket calculators properly; anything else would be irresponsible. However, like active directory systems, mobile device management (MDM) actually works similarly to bots with a command-and-control server. The only difference is that the central server is trusted and hopefully worthy of this trust.

An opinion by Janis König

Janis König actually wanted to become a software archaeologist. At intcube, she now realizes her enthusiasm for cryptography, good processes and software architecture. She writes for iX about her ideas for better information security.

MDM as a gateway

The Ivanti MDM solution Avalanche seems to be the main focus of security research currently, following the wake-up call last year when various government organizations were attacked via it. And it will certainly not be the last of these products to be affected. Attackers have also realized that although privately administered devices are often vulnerable, they are usually less worthwhile targets: It is hardly possible to specifically tap into highly sensitive data, and physical access is often even necessary for this.

MDM servers are (ideally) somewhat better secured. At the same time, however, they are also a much more worthwhile target: if I have hijacked the server, I have extensive access rights to the data that can be viewed by employees. In the end, this may mean a higher return on investment (ROI) from the attacker's perspective. With the ever-increasing professionalization of cybercrime, these are hard-hitting business facts.

How much centralization do we need?

We therefore need to think about when the costs of such centralization projects exceed the benefits. It must be clear that an MDM product used must not just be "a little more secure" than an individually administered system. Rather, it must be armed against the potential risk of the entire fleet of mobile devices being compromised.

If we want to go one step further, we could even consider whether the kind of centralization that MDMs provide is necessary at all. Or at least whether the complexity of traditional MDMs makes them too large a target, and whether a reduced offering could not provide much more sustainable security. In the history of IT, there has always been an alternation between centralization and decentralization: Mainframe, PC. Cloud, edge. AI as a service, local open-source models. From a security perspective at least, it is clear that cluster risks need to be well-thought-out.

(pst)