Lost your phone? Assume the worst, study finds

If you lose a smart phone there is a 50 percent chance that the finder will try to return it, but an almost 100 percent chance that they first will browse through your files and applications, according to a recent experiment done by Symantec and Sprint.

“What surprised me was the number of people who went through the data on the phones,” said Kevin Haley, director of Symantec Security Response. “People are naturally curious, but a high percentage of people let curiosity get the better of them."

The experiment, which logged the activities of people who found “lost” smart phones, did not distinguish between malicious behavior and idle curiosity, but the bottom line was that data on lost devices is likely to be compromised.


Related coverage:

Tony Bennett left his heart, others leave mobile devices in San Francisco

Android app test demonstrates dangers for mobile devices




“The owner of a lost smart phone should not assume the finder of their device will attempt to make contact with them,” warned the Symantec report on the experiment. “Even when contact is made, the owner of the device should not assume their personal or business-related information has not been violated.”

The risk of exposing sensitive information becomes more serious as more workers use personal devices for work-related activities. In a recent study commissioned by the security research company ESET, 81 percent of respondents said they use personal devices for work. Although desktop and laptop computers remain the platforms of choice, with more than 50 percent using them for work, 38 percent also use a smart phone and 15 percent use a tablet.

Most of the personal devices are being used without basic security, the ESET study found. Only one third of laptops and one quarter of smart phones had an autolock feature to block out unauthorized users, and fewer than 10 percent of the tablets used it.

The Symantec experiment, dubbed the Smartphone Honey Stick Project, involved 50 phones, fully charged and loaded with apps, and sans security. They were left in public places, 10 each in New York, Washington, Los Angeles, San Francisco and Ottawa. Forty-seven of the devices were turned on by finders and their activities on the phones logged.

Of those found phones:

  • 89 percent were accessed for personal applications and information.
  • 83 percent were accessed for business resources.
  • 70 percent were accessed for both personal and business information.
  • 50 percent of the finders contacted the owner and provided contact information.

Applications loaded on the phones were labeled:

  • Social networking
  • Online banking
  • Webmail
  • Private Pix
  • Passwords
  • Calendar
  • Contacts
  • Cloud-based docs
  • HR Cases (PDF)
  • HR Salaries (Spreadsheet)
  • Corporate Email
  • Remote Admin.

All of these files were opened. The most commonly accessed file was “contacts,” which finders opened on 38 of the found phones. The motives for this might be benign, since that is where contact information for the phone’s owner was located. But “private pix” was accessed on 34 phones, apparently from simple voyeurism.

Haley said the file and application labels were not meant to be provocative or to entice finders to open them. “I think they were fairly descriptive,” he said.

Although the desktop is the most commonly used tool for remote working, the widespread use of smart phones puts a focus on the risk from lost devices. “Nobody ever left their desktop in the restroom of a Chinese restaurant,” Haley said.

The growing popularity of tablet computers — a platform with smart-phone mobility and laptop functionality — is likely to add another area of risk. The recent release by Apple of its new iPad has focused attention in this segment of the market. While most observers agree that the latest release is an incremental improvement over its predecessor rather than a significant jump, it also is likely to see continued uptake as a business tool.

“It’s a sign that the industry is beginning to mature,” said ESET security researcher Cameron Camp. “The tablet is here to stay.”

But possibly because it is a newer platform, not as many users are implementing security on tablets as on smart phones.

The bottom line is that all mobile devices should be password-protected to prevent casual snooping, Haley said. And if a device contains sensitive personal or work information, users should consider applications to tack and or remotely wipe the device.

Reader Comments

Wed, Mar 14, 2012

Both my iPhone and GPS (about same size) have ability to lock with a PIN code. I find it to be a lot more trouble to constantly enter a PIN code than to just use extra care to avoid loss or theft. On the GPS I replaced the 'opening logo' with a message offering a NQA Reward and showing a cell number and email, this would even be in view before a PIN code if enabled. This would also be seen at a Pawn Shop.

Wed, Mar 14, 2012 Nick

I never found a phone but I did find a key drive twice. In both cases I had to look through the data to find out who owned it. How else could you return such a think. In the first case it was all pictures and I was never able to track down the owner, though I did narrow it down to their state. In the second case there was a resume and I was able to use that to contact the person. Neither one had dedicated "contacts" file, and most phones don't either. So I would not be too down on the people who browsed the data. They may have just been trying to return the darn thing, which is how many of them ended up getting back home.

Tue, Mar 13, 2012

If the device is password-protected "...The most commonly accessed file was “contacts,” which finders opened on 38 of the found phones. The motives for this might be benign, since that is where contact information for the phone’s owner was located...50 percent of the finders contacted the owner and provided contact information. ..." How could the finder contact the owner?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above