• United States



Senior Staff Writer

Sprint faces backlash for adding MDM to devices without permission

Nov 04, 20154 mins
Mobile SecurityVulnerabilities

Technician added MDM software to a customer's personal iPhone 6

Mobile Device Management (MDM) functionality is essential for business, but if left unchecked on consumer devices it can pose a risk.

On Wednesday, a Sprint customer discovered an in-store technician adding MDM software to their personal iPhone 6 without prior notice or permission, sparking a heated conversation about privacy and protection.

The customer, Johnny Kim, took to Twitter [archive] with his complaint. In an image posted by Kim, the iPhone clearly shows the installation path of the MDM software via a domain that is owned and operated by Sprint.

When questioned, Sprint’s support staff told Kim that the software helps “skip certain Setup Assistant screens, so users can start using their devices right out of the box.”

The problem with that answer is that consumers can’t skip iOS setup assistance, so it isn’t clear what parts of the setup process the MDM software is bypassing – if any. Later, when pressed for an answer, Sprint’s support told Kim that his iOS device can “be pre-configured to require automatic enrollment into MDM.”

Once more, Kim and several other security experts noted that the device was for personal use, and pointed out that Sprint installed the MDM software without notice or permission;  and according to Sprint’s own policy, such software can only be installed if the customer asks for it, which Kim did not.

When asked why the MDM software was installed as it was, Sprint told Kim that the software comes pre-installed on the device “so customers who’d like to use it, do not go though the hassle of getting it setup.”

But, once again, the answer from Sprint’s support group doesn’t really answer the question and goes against Sprint’s own policy on such installations. The only reason Kim knew this software was installed against his wishes was because he was watching the technician during setup.

The concept of a carrier like Sprint installing MDM on a personal device is frightening to some security experts, especially when the customer isn’t told about the installation or made aware of the risks that such features have outside of a managed environment.

As things stand, it looks as if Sprint violated their own policy and installed software on Kim’s device that could allow them to control the functionality of the iPhone far beyond normal carrier restrictions and phone modifications.

One expert who commented on the issue told Salted Hash that it’s possible Sprint sees the installation of MDM software as an additional security offering, or perhaps as a means to enable phone location services to the consumer.

Still, even if that were true, it’s against written policy and such offerings are offered at the cost of privacy and control over the user’s own devices.

Carrier installed MDM has a number of serious security concerns.

During a presentation at Black Hat in 2014, researchers Mathew Solnik and Marc Blanchou highlighted a number of problems – including issues with Sprint’s MDM tools.

Again, MDM software can be useful in a corporate setting. For iOS users, Apple has enabled a number of management and control features that IT teams can use to ensure employees have a clear separation between work and play. Such features include full remote wipe, selective wipe of accounts, apps, and documents, managed accounts and extensions, and over-the-air configuration.

“Corporations who add [MDM] to their devices and disclose it to the users is a common scenario as it helps them keep [control or lock down] the devices,” Solnik said in an interview with Salted Hash.

But a carrier adding MDM and failing to disclose it to the customer is downright dangerous, he added.

“Especially one with the track record of insecure practices Sprint has – this is downright dangerous. But this is type of evasive activity appears to be extremely common for Sprint.”

Salted Hash has reached out to Sprint for comment earlier in the day, but the company didn’t respond by the time this story went to print several hours later.

If the company offers any additional insight, this story will be updated.