The iPads of the Spanish members of parliament

A few weeks ago we saw in the Spanish media a story that couldn’t go unnoticed [1] [2] [3] [4] (Spanish press). The news said that 20 Spanish members of parliament had lost the iPad that at the beginning of the current term of office —less than a year ago— they had received for their work. Leaving aside the controversy about the need of this tool and the responsibility that these members should have with a corporate device, let’s get into what concerns to us: security.

As anybody knows, an iPad can be used to store documents, emails, phone numbers, schedules, etc., tipically information that can be considered sensitive for an organization and in this case for the Spanish State. I would like to think that these devices had different security measures in place, such as control access with password, encryption, blocking and even deletion of the stored information after several failed access attempts, etc. All that, in addition to the appropriate measures to remotely lock and erasing its contents remotely.

However, that’s what I would like to think, because some media information points recently that these devices did not even had activated the tool “Find my iPad“, which can be installed on devices with iOS and makes it possible to lock, erase and locate the device remotely. Ok, devices are lost and we can’t get them back. So, what information did contain these devices? Did they contain confidential information?

As any other organization the Chamber of Deputies should have a policy of acceptable use of the devices that each member of parliament should sign after receiving the corporate devices. Furthermore the service, area or department competent to technological matters should take the appropriate measures to avoid that in the event of a loss anyone could access the information stored in the device, even when such controls conflict with the reluctance of the members (we all know “the user”). Looks like we will never know which information contained those devices, not even the security measures applied, but I would like to think that the information wasn’t important or confidential and that the recommendations S2 Grupo did some time ago (you can check the original information in Spanish at S2 Grupo webpage) had been implemented:

(As the original recommendations are based in the Spanish version of iOS, some paths may differ from the English version)1. Typing the PIN
This security measure is the only one that isn’t technical; when typing the access PIN we must avoid that this key can be envisioned by a third party. In order to avoid shoulder-surfing attacks and PIN disclosure, we must proceed as we do when we get money from an ATM. The PIN is the key to our device, we have to protect it.

2. Upgrade the operating system
It is necessary to apply any available system update from the manufacturer.
How: in Settings/General/software update you should get the message “the software is up-to-date“.

3. Access control
It is necessary to use a PIN to access the device.
How: in Settings/General/lock with code must select the access code to the device.

4. Self-locking
The device must lock automatically after five minutes of inactivity.
How: in Settings/General/auto lock parameter value must be ‘5 minutes’.

5. Grace period for lock
The device must not have grace period for access without a key.
How: in Settings/General/lock with code “prompt” must have the value “Immediately“.

6. Photo frame
The use of the device as a photo frame without the need of password should not be allowed.
How: in Settings/General/lock with code option “Photo frame” must be “Disabled“.

7. Deletion after failed access attempts
The device should be automatically wiped after 10 failed access attempts (please be careful with this specially if children or any other “authorized” people can try to access your device).
How: in Settings/General/lock with code the option “Erase data” must be “Enabled“.

8. Data protection
If you set an access code, the device encrypts all the information with a key derived from the access code.
How: in Settings/General/lock with code should display the message “data protection is enabled” at the bottom of the window.

9 Bluetooth
We must activate Bluetooth only when we needed and disable it otherwise.
How: in Settings/General/Bluetooth must fix the ‘NO’ option.

10. Navigation
Fraud notification must be enabled so when accessing potentially harmful pages, the device locks them automatically.
How: the option Settings -> Safari -> notice of fraud must be “Activated”.

This is all for now. Have a nice weekend!