Welcome to the SecAware blog

I spy with my beady eye ...

19 Mar 2012

Physically securing your smartphone

A short item on the Symantec blog introduces a 'honey stick'-type experiment with smartphones.  The project, part of the honeystick initiative, abandoned 50 phones in public places in US and Canadian cities and tracked their use (using 'phone home' type dummy apps and GPS) to see what happened when they were found.  Although half of the finders made some attempt to return them (good on yer!), nearly all finders snooped around on the phones.  Some finders might have been simply trying to establish ownership, others seem to have been exploring for sensitive information.  A few might have gone beyond simple curiosity.

Blogger Kevin Haley recommends three controls:
  1. Use the screen lock feature ... 
  2. Use security software ...
  3. Make sure that the mobile devices remain nearby and are never left unattended ...
Fair enough though somewhat banale, but Kevin hints at another useful control in saying "It is also a good idea to make sure that they can differentiate their device from others that might be sitting in the immediate vicinity by adding distinguishing features, such as a sticker or a case."  So why not state your contact information (e.g. an email address or landline number, NOT your address or cellphone number!) on the outside of the phone case, and perhaps offer a reward for the finder to return the phone?  That way, an ethical finder doesn't need to rifle through the contents to find the owner's details.  Alternatively, polite instructions to "hand the phone in to the nearest police station" would work for some, leaving the police with the job of tracing the owner (not too hard if the loser knows roughly where the phone was lost, and calls the local police to log the fact).

The Symantec report, focusing more on corporate aspects, recommends policies and awareness - again, rather banale.

Best of all, don't lose your phone!  Keep it physically attached to your belt or clipped in your purse, and avoid storing sensitive information unnecessarily on your portable devices.  For example, the iPhone 4's heavily promoted ability to link and synchronize with your iPad and desktop has the nasty side-effect of significantly increasing the risk of your private and/or work information being compromised.  It may be cool but is it smart?

Gary (Gary@isect.com)

PS  Speaking as a scientist, I'm deliberately turning a blind eye to the methodology used in the study.  That it was sponsored by an antivirus company speaks volumes.

No comments:

Post a Comment