A user may handle sensitive data on unmanaged consumer devices, such as personal cell phones, tablets, and mobile computing devices. As a result, lost mobile devices may disclose sensitive data if misplaced. A corporation may counteract this by deploying a security policy prior to allowing consumer devices to access corporate email. The security policy may establish user accounts with a maximum number of unsuccessful login attempts before making the data inaccessible, for example by executing a “wipe” of the data. However, an attacker may acquire an unlimited number of attempts to guess a password by using a replay attack.
In a replay attack, an attacker may capture a device in a pre-wiped state, copying any relevant data from the hard disk, such as the encrypted components. The attacker may then attempt to login as the user. Prior to a wipe occurring, the attacker may restore the disk to a previous state, effectively setting the device back to a “pre-wipe” condition. This attack may grant the attacker extra attempts to guess new passwords. Alternatively, the attacker may restore the disk back to a previous state after each password attempt.