Bitglass tracked the personal mobile devices of several willing employee volunteers with mobile device management (MDM) software to understand how MDM could be misused and to assess the true extent of access employers have to personal data and user behavior.
Researchers configured the MDM software to route mobile data traffic through a corporate proxy and installed corporate-issued certificates on employee devices to decrypt SSL traffic. This, a common configuration in enterprise MDM deployments for inspecting traffic for malware, enabled them to see the contents of employees’ personal email inboxes, social networking accounts and even banking information.
The usernames and passwords used to log into sensitive accounts, including personal banking accounts, were transmitted through the corporate network in plain text. MDM also gave the team visibility into users’ app downloads and browsing history, which exposed sensitive search queries, including several health-related searches.
Third-party apps were also susceptible to packet sniffing. Even on iOS, where some believe app sandboxing limits employer visibility into user behavior, researchers were able to intercept personal communications sent through widely-used apps, including Gmail and Messenger.
The MDM solutions tested could force GPS to remain active in the background without notifying the user, pinpointing the locations of managed devices in real time while draining battery power in the process. Location data also revealed user habits – where employees went after work, where they traveled on weekends, how frequently they visited their local supermarkets, and more.
“The invasion of privacy by MDM is a key reason that there are two billion mobile devices on the planet, but only a few million devices managed by MDM” said Nat Kausik, CEO, Bitglass. “IT leaders looking to enable BYOD must focus on a data-centric, agentless approach that respects user privacy.”
67 percent of employees would participate in a BYOD program if employers could not view or alter personal data and applications, according to a recent Bitglass report. Without a security solution that respects user privacy, employees will simply work around IT. To protect data on unmanaged devices, organizations are now adopting agentless, data-centric solutions that provide employees more flexibility without the privacy implications of MDM.