Symantec: Finders Will Try to Access Lost Smartphones

A study by Symantec found that almost everyone who finds a lost smartphone will try to access the personal and corporate data inside, and only half will contact the owner.

Symantec€™s advice to smartphone users? Keep the devices close.

According to a recent study by the security software vendors, people who lose their smartphones or other mobile devices in public have a 50 percent chance of ever getting them back. And even if the device is returned, the person who found the phone most likely rooted around in it for a while, checking out whatever personal and business data they could find.

The lesson, according to Symantec, is to make sure that whatever data is on the phone is as secure as it can be.

€œ[I]n many cases, regaining possession of a lost device may be a losing battle,€ the Symantec researchers said in the report from the Symantec Smartphone Honey Stick Project. €œBut protecting the information on it does not have to be if the right precautions are taken. While devices can be replaced, loss of control over the information kept on these devices can result in far greater consequences.€

The overall goal of the study was to show users what would probably happen to their smartphone if they left it in a public place€”for example, a restaurant, mall, airport or taxi€”and a stranger found the phone. Given the amount of data€”both personal and business€”that people keep on smartphones today, losing one and having some unknown person pick it up could have significant consequences, according to Symantec.

€œThe theft or accidental loss of a smartphone can expose businesses and individuals to loss of any data stored on the device, as well as data residing in corporate systems or cloud applications to which the device might have direct connections,€ according to the report. €œThe use of consumer smartphones within a corporate environment further complicates the issue of data protection, as information may flow onto or through devices that are not fully controlled by the business.€

In the seven-day study, conducted by Security Perspectives Inc., a total of 50 smartphones were intentionally lost in New York City; Washington, D.C.; Los Angeles; the San Francisco Bay area; and Ottawa, Canada. Each phone contained apps that spanned everything from social networking and online banking to photos, passwords and corporate-sounding data, including human resources, corporate email and a spreadsheet tagged as showing salaries. None of the apps had any real functionality.

In addition, no security software or features€”such as passwords€”were enabled on the smartphones. The Symantec researchers wanted to make them easy to get into.

Logging software was installed so that the researchers could see what applications were being accessed, and GPS technology was used to track where the phones went.

The phones€”10 in each target area€”were lost over the course of several days in such places as elevators, food courts and transit stops, where high levels of foot traffic were guaranteed.

According to the study€™s results, 96 percent of lost smartphones were accessed by those people finding the device€”89 percent were accessed for personal apps and information, and another 83 percent for corporate-related data. Seventy percent were accessed for both, and 50 percent of the people who found the smartphones contacted the owner and gave them their own contact information.

Regarding the corporate data, 45 percent of the time, the finders tried to access the email client, while 53 percent tried to access the HR Salaries app. Forty percent tried to get into the HR Cases app, and 49 percent tried to access the app named Remote Admin.

€œThis finding demonstrates the high risks posed by an unmanaged, lost smartphone to sensitive corporate information,€ the researchers said in the report. €œIt demonstrates the need for proper security policies and device/data management. This is especially true in the age of the consumerization of IT and bring-your-own-device (BYOD) trend, when mobile devices are flowing into and out of corporate infrastructures at previously unheard of rates. If an unmanaged, employee-owned device is used for corporate access unbeknownst to the organization and that device is lost, the consequences of having no control over that device€”for example, to remotely lock or wipe it€”can be devastating.€

On the personal side, 72 percent of the finders tried to access private photos, and 43 percent tried to get into the online banking app. With the social networking and personal email apps, access to each was tried in 60 percent of the devices.

Sixty-six percent of the time, loggers tried to click through the log-in or password reset screens, where the user names and passwords were already filled in.

Of the 50 percent of finders who notified the owner that their device was found, only 25 percent offered to help the owner get the phone back. In addition, 68 percent of the finders accessed the smartphone before moving it, and 5 percent moved the devices, but never tried to access them.

Symantec researchers said businesses need to institute tough security policies for employees using mobile devices for work, and should focus more on protecting information rather than only protecting devices. Businesses also should explain the procedures employees must take when a smartphone is lost, and should take inventory of what mobile devices are connecting to their networks. €œ[T]hey can€™t protect and manage what they don€™t know about,€ the researchers said.