Introducing the Symantec Smartphone Honey Stick Project

March 9, 2012

A while back, my wife was mugged and her purse and all its contents were stolen. When she told me, I had three questions:

  1. Are you alright?
  2. Did you cancel the credit cards and call a locksmith to change our locks?
  3. Did they get your phone?

My third question was about her smartphone because smartphones today are so integrated into our lives. Arguably, they carry even more valuables than a wallet does, including personal information and direct links to our finances. They may not have driver's licenses with our names and addresses stored on them (yet), but they contain the contact information of all our friends. Some smartphones even have the ability to carry out financial transactions like a credit or debit card, and nearly all have the capability to run apps that can access our bank accounts.

Add to all of this that because smartphones have merged our private lives with our work lives, they also contain—by accident or by design—a wealth of information about the businesses we work for.

The chance of getting a smartphone back once it has been stolen is probably pretty close to zero, but what about a lost phone? What are the chances that a phone left in the back seat of a taxi or on a news stand will be returned? And what should people expect to happen to those devices and, more importantly, the information on them in the meantime?

With the help of Scott Wright of Security Perspectives Inc., we decided to find out. The Symantec Smartphone Honey Stick Project is an experiment involving 50 "lost" smartphones. Before we intentionally lost these devices, we placed a collection of simulated corporate and personal data on them, along with the capability to remotely monitor what happened to them once they were found.

We dropped the 50 smartphones in five different cities: New York City; Washington D.C.; Los Angeles; San Francisco; and Ottawa, Canada. They were left in high traffic public places such as elevators, malls, food courts, and public transit stops. Then we waited to see what would happen.

The short answer is not encouraging: Only half of the people who found one of the phones made any attempt to return it.

Maybe you think that having a 50/50 chance of getting a phone back is a glass half-full situation. Sorry, but I have to drain your glass: Even the people who attempted to return the phones made attempts to view the data on them. In fact, 96 percent of our lost smartphones were accessed by their finders.

This may have started as an attempt to discover the owner of the phone, but our research shows that the finders of these devices had what can graciously be called a curiosity about more than the name of the owner. Case in point:

  • Six out of 10 finders attempted to view social media information and email.
  • Eight out of 10 finders tried to access corporate information, including files clearly marked as "HR Salaries," "HR Cases", and other types of corporate information.

If you are in any way associated with securing a company's valuable information, those are pretty striking numbers. However, it is not just business-related information that is at risk and a cause for legitimate concern. Our "honey stick" smartphones also had an application that appeared to allow access to a remote computer or network. Surely, people wouldn't go that far. Well, one out of every two finders tried to run the "Remote Admin" app.

It's just as bad for consumers. Not only does our research show that your private pictures, social media accounts, and email are going to be accessed if your phone is lost and found, nearly half of the finders tried to access the owner's bank account!

The point of all of this is not to say that people are bad. It's that people are naturally curious and when temptation is put in front of them they tend to bite the apple (some take many bites). The lesson to take away here is that we have to protect our mobile devices. The good news is that it is really not that hard to do.

Two things would have protected all of the data, personal and business, on these phones. The first is password protection. Just giving the phone password-based security would have prevented the casual finder from trolling through the data. The second thing is to have the ability to remotely wipe the data off the phones once it had been lost. In this way, even if the phone fell into the hands of a determined thief, there would be no data for them to find. It is also a good idea to have software on the phone to help locate it if lost as well.

A full list of Symantec's official recommendations for both businesses and consumers follows. However, at the end of the day, the above three simple practices and tools can eliminate the majority of the risk involved with losing a smartphone.

Now back to that mugging. Yes, my wife was all right. Yes, she did cancel her credit cards and call the locksmith. And, thankfully, her phone was in her pocket. On that note, here's another tip: Always keep your phone close to you and in a secure place.

Recommendations

Corporations should take the following steps to ensure mobile devices and sensitive corporate information remains protected:

  • Organizations should develop and enforce strong security policies for employees using mobile devices for work; this includes requiring password-enabled screen locks. Mobile device management and mobile security software can aid in this area.
  • Companies should focus on protecting information as opposed to focusing solely on devices—securing information so it is safe no matter where it ends up.
  • Educate employees about the risks both online and physical associated with mobile devices, such as the impact of a lost or stolen device.
  • Take inventory of the mobile devices connecting to your company's networks; you can't protect and manage what you don't know about.
  • Have a formal process in place so that everyone knows what to do if a device is lost or stolen. Mobile device management software can help automate such a process.
  • Integrate mobile device security and management into the overall enterprise security and management framework and administer it the same way. In essence, treat mobile devices as the true enterprise endpoints they are.

Consumers should take the following steps to ensure mobile devices and the personal information on the devices remains protected:

  • Use the screen lock feature and make sure that it is secured with a strong password or "draw to unlock" pattern. This is the most basic security precaution and requires minimal effort on the part of the user, yet can provide a critical barrier between personal information and a stranger.
  • Use security software specifically designed for smartphones. Such tools can stop hackers and prevent cybercriminals from stealing information or spying on users when using public networks. In addition, security software can often help locate a lost or stolen device and even remotely lock or wipe it.
  • When out and about, users should make sure that their mobile devices remain nearby and are never left unattended, being mindful of where they put devices at all times. It is also a good idea to make sure that they can differentiate their device from others that might be sitting in the immediate vicinity by adding distinguishing features, such as a sticker or a case.