Another Bad Idea: Handing Your Unlocked Phone to Strangers

You wouldn’t hand your unlocked mobile phone to strangers, would you? Especially not if they keep it for some minutes, unmonitored, to make configuration changes, right?

I’m currently traveling in parts of the world where my German network provider charges outrageous roaming prices. For the price of a one-minute call I can buy a prepaid SIM card from a local provider, usually with plenty of minutes to anywhere and 1GB or more of data. The data alone is literally worth thousands(!) of Euros in roaming charges. So everybody buys those cards, and in many airports there are numerous providers to chose from.

Of course being helpful and service minded they don’t give you a SIM with instructions, but instead you give them your unlocked phone, so they can set up and activate the card for you, happily typing away, until they hand it back to you, with a smile, stating that now everything works. What could possibly go wrong?

Well, handing out a phone in this way pretty much bypasses all defenses and safeguards that may be in place. It takes only seconds of unattended phone access to plant malware on a device, disabling security solutions beforehand, and it is also a safe bet that agencies in some countries are well aware of this kind of user behavior, possibly exploiting it to “backdoor” the smartphones and tablets of selected travelers.

A funny thing happened in Bangkok: The guy in front of me in line (with a UK accent) simply told the provider his password (excusing himself with “sorry for that, we have a company policy that enforces passwords on our corporate mobile devices”). His password was “qwer.” :(

No one questioned this ridiculous practice of unlocking and handing over. With one exception, the service people were surprised when I told them to forget it and to just give me the SIM and instructions. One provider in Sydney refused to sell me just the SIM without installation service, telling me they don’t have instructions to hand out and no one had ever asked them before. The exception? When I asked the guys in Kuala Lumpur today about why they didn’t seem surprised by my request, they told me two months ago they had a number of people saying “just the SIM, please.” Must have been attendees of HITB, a hacker conference running at that time.

It’s important to think about the possible consequences. Companies might do well to prepare a quick guide for non-tech personnel, so they can change a SIM themselves.

On my next trip I plan to bring an old device as a honeypot–to see if someone actually tries to tamper with it.