Exchange “remote wipe” is a terrible, terrible bug

Let’s say you know someone who works in a fairly small company. He handles a good amount of off-hours office email but was never offered a Blackberry as these were doled out not according to need but status, for which they quickly became an important symbol. And anyway, this employee didn’t want a crappy Blackberry because he already carried a first-gen iPhone.

At some point Apple added Exchange connectivity and all the cool kids in the company could finally get work email on their phones, just like the important old people. But within a week, the tin-pot dictators in IT discovered this unauthorized bypass of their status-distribution mechanism, googled “how to disable meddling kids’ iphone exchange access” and mashed the right buttons on their keyboards. The unapproved playtime/productivity-time was over.

Years pass. Status symbols change.

Then one day, executives are observed reading their email on company iPads. Vom. But also, ah hah! The access point has apparently been re-enabled. And it has. It works. Hooray.

At the same time, our intrepid off-hours emailing employee is finally replacing that old iPhone. He gets a Samsung Fascinate the first day it’s available, and of course sets it up for Exchange. Nothing seems amiss. A few hours later, the phone–his personal phone–shuts off while in use. When he turns it back on, it’s back to factory defaults. All the settings, apps, and data have been erased. wtf?

From the title of this post you can guess what happened. But if you didn’t know that such a disaster of a “feature” existed, whereby unknown persons can fully erase all data on a computing device once you log into your email account, you’re sure you’ve got a bad phone. It must be some early manufacturing glitch in these new models, and even Verizon agrees. The phone has a “hard reset” feature, but if that’s been activated without prompting, confirming, and double-confirming then something must be sorely wrong with the device. So he goes through the multi-hour hassle of exchanging the phone for a new one.

Next day, new device, same thing. This time the words “remote wipe” are observed in the startup sequence.

Those sons of bitches.

So yeah, this screen exists:

That’s the interface that Microsoft gives troglodyte IT departments to control/destroy their turf, which has silently expanded to include your personal property. Maybe there is also a screen to simply block unapproved devices, which would be the sane way of enforcing the same silly control. But for whatever reason, destroying all data on unknown devices if they show up in the logs is a popular choice among the sadists that most companies employ to keep their computers running terribly:

My Pre works great with my corporate email but my IT dept won’t approve it for use. Thus every month they send down a remote wipe to all non-approved devices, deleting everything.

There will always be sadistic dolts in IT. There will aways be even more sadistic but less doltish hackers who will gain unauthorized access to company servers and wipe everyone’s phones for fun, because stupid companies have given them this new toy. The companies do not know or care that the same purportedly sensitive data is trivially available from everyone’s laptops, and that laptops are stolen all the time. They’ve replaced one of many attack scenarios with a more destructive one, and they’re too proud to see that their internal memos are not that interesting to anyone else in the first place. (If there is anything incriminating in any email archives, they’ve got bigger problems.)

Since we can’t make other people stop being stupid, we can at least demand that our operating systems tell us when giving them write-only, root access to our computing devices. It’s incredible that none of the mobile platforms–not WebOS, Android, or iOS–bother to clue their users in to the ridiculous privilege they are granting by logging into Exchange. (The inventor of this abomination of a feature, Blackberry, was never meant to be configured by mere users. Who knows, or cares, what it does.) It would be trivially easy to implement a warning dialog, or three, explaining the extreme privilege that you are exchanging to be able to respond to your boss’s email on the weekend.

There’s no shortage of trivial and irrelevant “I Agree” buttons we have to click to use ordinary software, but mobile OSes presume to open a software self-destruct backdoor without any notification.

Un-effing-believable.