Symantec Project Demonstrates Vulnerabilities of Lost Phones
Just the other day we were looking at Symantec’s journey into mobile protection world. Now, we learn about the Symantec Smartphone Honey Stick Project. Don’t let the name confuse you — this has nothing to do with Android (specifically) or tasty sweets. Rather, Symantec dropped 50 phones with “private” information across five major cities and recorded the results. What can the channel learn? Let’s take a look …
Symantec explained the study thusly:
We dropped the 50 smartphones in five different cities: New York City; Washington D.C.; Los Angeles; San Francisco; and Ottawa, Canada. They were left in high traffic public places such as elevators, malls, food courts, and public transit stops. Then we waited to see what would happen.
The result? Bad news. “Only half of the people who found one of the phones made any attempt to return it.” And according to Symantec, there’s more bad news, because “96 percent of our lost smartphones were accessed by their finders.” Symantec explains access was less than friendly, with users actively poking into information beyond the owner’s name and number. Finders looked at the user’s social media accounts, dug through (Symantec’s fake) HR files and, even more surprising, “One out of every two finders tried to run a ‘Remote Admin’ app.”
Yikes.
Symantec’s reading of the results are bleak. According to the company:
Not only does our research show that your private pictures, social media accounts, and email are going to be accessed if your phone is lost and found, nearly half of the finders tried to access the owner’s bank account!
More bad news, huh? Well, the good news is that Symantec believes simple measures such as password protection and remote phone wiping can mitigate the majority of problems related to lost phones. Symantec’s position is that mobile phones are tiny little cornucopias of precious data, but I think mobile devices are simply disposable access points to information in the cloud. If all that data exists in the cloud, then there’s no security issue, because a lost phone can simply be removed from network access.
And for the channel? Well, you could go the traditional route, focusing on individual device security. But perhaps more proactively, VARs and MSPs can offer cloud services that have innate security features, built for mobile device access. As new devices inevitably cycle through, the work required to integrate them will have be minimized. Essentially, these kinds of services can also provide future-proofing for new waves of mobile devices to come. Keep that idea in mind as 2012 rolls forward.