Watchcom did an analysis of iPad2 (iOS 4.3.5), Acer Iconia Tab A500 (Android 3.0.1) and the BlackBerry PlayBook (OS 1.0.7), looking at security features such as:
- Encryption & communication
- Blocking various features
- Secure sync of critical applications
- Administration and policy
- Application security
- Security extensions
I think their PDF files with evaluation criteria and point scale system (1-3) should be fairly easy to understand, even when written in Norwegian.
As for my comments; I am both surprised of the media not asking any obvious and critical questions to this evaluation, as well as Watchcom seemingly not saying anything about the limitations surrounding their evaluation.
A few comments from me, that organisations should consider before making their decision & purchase:
1. iPad (iOS) security
Using the Elcomsoft iOS Forensic Toolkit, any 4-digit PIN on an iPad (or iPhone) can be bruteforced within <1 hour. Default security parameters in iOS and Microsoft Activesync requires a 4-digit PIN, while there are options available for requiring longer PINs and/or complex passwords.
While a 4-digit PIN will protect your data from the casual prying eyes (random theft/loss of your device), an organized and targeted attack will most likely succeed with a rather low cost compared to the data possibly stored on the device. I'll leave it to you to do the risk analysis including the value of your on-device stored data such as MS Exchange calendar including telephone conference numbers and codes, meeting attachments (word, excel, powerpoint, pdf files) and more.
With Apple and iOS so obviously in the lead above all else, there's no doubt they will draw even more attention to their security - or lack of it - in the very near future. From my perspective they really don't have that much of a reputation so far on discussing, disclosing and admitting security bugs and weaknesses found. Usually not a good sign to me, but I won't to the full open vs responsible vs closed disclosure discussion here.
2. Remote device management security
Remote wipe, as well as a wide range of other security features will actually require the tablet to connect to a wlan or gsm/3g connection in order to "phone home" and receive instructions such as "the device has been lost or stolen. Please wipe the entire contents of the device and set it back to its factory default".
While a GSM/3G jammer is illegal to operate here in Norway, it can still be obtained for pocket money from other countries. This will effectively block such communication, prohibiting any remote wipe command to ever reach the device. All this of course, in cases where the attacker can't simply remove the SIM card from the device of course. :-)
A simple "faraday cage" will additionally block any wlan connections, easily allowing an attacker to gain more time to successfully break the security of the device in order to gain information access. Evaluating your employees ability to actually report lost or stolen devices will be of high importance, as the timeframe needed for a successful compromise of your device could be as little as <= 1 hour. (This is something I will blog and talk about more in the near future.)
3. The gaping password hole left by Microsoft Activesync
Yes, I know I am a fanatic on passwords. I took the red pill a long time ago on this, and it keeps expanding. When you configure Activesync on your smartphone or tablet, the default configuration is to use a SSL (https) connection to a website providing Outlook Web Access (OWA). Default login here is username and password from the internal Active Directory, with password policy being whatever you have configured in your domain. Again; the default is nowhere good enough in this situation as well.
While many discussions have been raised on the security of the sync & storage of activesync data (contacts, calendar, mail), I haven't seem much talk regarding that fact of such a configuration opening up 1-factor password guessing (or pure bruteforcing) against OWA. As I have said before, like many others like me that are "excessively" interested in passwords, allowing for 1-factor access to internal systems from the Internet is generally not a good idea any longer. In fact, many security policies of large organisations disallow it.
From an attackers perspective; why waste time tracking down your CEO in order to steal or "borrow" his or hers tablet for a few hours, when finding the username and guessing the password of the CEO directly towards https://webmail.some.domain can be even faster and easier?
(Yes Watchcom, I already know that you provide solutions for VPN access and 2-factor authentication to secure this stuff. I have yet to see any evidence of acceptable usability on this :-) )
4. Android vs Android security
Watchcom has tested the Acer Iconia Tab A500 with Android 3.0.1. Fair enough.
I've got a Samsung Galaxy S II smartphone, featuring on-device hardware encryption of both internal storage as well as my inserted memory card. According to Samsung's commercial, it supports more Activesync policies than any other product on the market (or something like that). Working on verifying that, but at least it seems to be working. The same applies to the Galaxy Tab tablets, as well as other tablets now available in the stores.
I would say that Watchcom should consider updating their report ASAP with at least one or more Android based tablets from other vendors, say Samsung and the Lenovo Thinkpad, where the Thinkpad is specifically targeted at corporate business use.
As for the media: did you ask anyone to comment or question the findings from Watchcom? I'd sure as h**l appreciate it if you continue doing that every time you quote me on anything, thank you. :-)