On November 11th, I had the pleasure of interviewing security expert David Kennedy during a live webcast. David is a regular speaker at security events and famous for co-authoring Metasploit: The Penetration Testers Guide; and for co-authoring the Penetration Testing Execution Standard (PTES), a framework used by the penetration testing industry. He’s also spoken twice in front of congressional hearings on the subject of network security. During our 40 minute interview, David had much to say on the subject of mobile security, particularly the ease with which BYOD devices that rely on MDM or containerized solutions can be hacked. Early in the interview, he stated: “I think from a vulnerability perspective, there’s a lot of exposures that happen on devices [that creates a] really big problem for any kind of MDM or BYOD [solution].” I asked David “just how easy is it to hack a smart phone remotely?” To which he replied: “If you look at Google devices, I think pretty easy…..Apple has a lot of capabilities built-in that make it much more difficult for exploitation…but it doesn’t mean that there isn’t a huge market out there…to sell these exploits.” When asked about hacking a device that is physically in the hands of a hacker, David said: “Physical access is always much easier….What most folks don’t realize is that even on iOS…the applications that you download from the app stores, a lot of times they have pretty horrible secure coding practices….these apps themselves are a direct conduit into all the personal information on the device.” Regular readers of this blog know that I am very critical of the remote wipe instruction as a means of preventing data loss. It is great for satisfying regulations, but ineffective at protecting data from professional hackers. So I decided to ask David directly: “Do hackers fear the remote wipe instruction?” David’s answer: “No, I don’t think so, and especially not from a physical perspective. The first thing that I would do…..is put it in airplane mode or ….remove the SIM …..it is not something a hacker would be concerned with.” David went on to say: “What most folk rely upon is those protections that MDM has built into the devices, and a lot of the time those don’t have any type of real bearing on how hard it is to really get into the device.” Obviously these are just few extracts from an interview that is jam-packed with great information. You can hear the recording of the entire 40 minute interview by clicking here.