Lost your phone? Assume the worst, study finds
- By William Jackson
- Mar 09, 2012
If you lose a smart phone there is a 50 percent chance that the finder will try to return it, but an almost 100 percent chance that they first will browse through your files and applications, according to a recent experiment done by Symantec and Sprint.
“What surprised me was the number of people who went through the data on the phones,” said Kevin Haley, director of Symantec Security Response. “People are naturally curious, but a high percentage of people let curiosity get the better of them."
The experiment, which logged the activities of people who found “lost” smart phones, did not distinguish between malicious behavior and idle curiosity, but the bottom line was that data on lost devices is likely to be compromised.
Tony Bennett left his heart, others leave mobile devices in San Francisco
Android app test demonstrates dangers for mobile devices
“The owner of a lost smart phone should not assume the finder of their device will attempt to make contact with them,” warned the Symantec report on the experiment. “Even when contact is made, the owner of the device should not assume their personal or business-related information has not been violated.”
The risk of exposing sensitive information becomes more serious as more workers use personal devices for work-related activities. In a recent study commissioned by the security research company ESET, 81 percent of respondents said they use personal devices for work. Although desktop and laptop computers remain the platforms of choice, with more than 50 percent using them for work, 38 percent also use a smart phone and 15 percent use a tablet.
Most of the personal devices are being used without basic security, the ESET study found. Only one third of laptops and one quarter of smart phones had an autolock feature to block out unauthorized users, and fewer than 10 percent of the tablets used it.
The Symantec experiment, dubbed the Smartphone Honey Stick Project, involved 50 phones, fully charged and loaded with apps, and sans security. They were left in public places, 10 each in New York, Washington, Los Angeles, San Francisco and Ottawa. Forty-seven of the devices were turned on by finders and their activities on the phones logged.
Of those found phones:
- 89 percent were accessed for personal applications and information.
- 83 percent were accessed for business resources.
- 70 percent were accessed for both personal and business information.
- 50 percent of the finders contacted the owner and provided contact information.
Applications loaded on the phones were labeled:
- Social networking
- Online banking
- Private Pix
- Cloud-based docs
- HR Cases (PDF)
- HR Salaries (Spreadsheet)
- Corporate Email
- Remote Admin.
All of these files were opened. The most commonly accessed file was “contacts,” which finders opened on 38 of the found phones. The motives for this might be benign, since that is where contact information for the phone’s owner was located. But “private pix” was accessed on 34 phones, apparently from simple voyeurism.
Haley said the file and application labels were not meant to be provocative or to entice finders to open them. “I think they were fairly descriptive,” he said.
Although the desktop is the most commonly used tool for remote working, the widespread use of smart phones puts a focus on the risk from lost devices. “Nobody ever left their desktop in the restroom of a Chinese restaurant,” Haley said.
The growing popularity of tablet computers — a platform with smart-phone mobility and laptop functionality — is likely to add another area of risk. The recent release by Apple of its new iPad has focused attention in this segment of the market. While most observers agree that the latest release is an incremental improvement over its predecessor rather than a significant jump, it also is likely to see continued uptake as a business tool.
“It’s a sign that the industry is beginning to mature,” said ESET security researcher Cameron Camp. “The tablet is here to stay.”
But possibly because it is a newer platform, not as many users are implementing security on tablets as on smart phones.
The bottom line is that all mobile devices should be password-protected to prevent casual snooping, Haley said. And if a device contains sensitive personal or work information, users should consider applications to tack and or remotely wipe the device.
William Jackson is freelance writer and the author of the CyberEye blog.