Scott Wright, a researcher and security coach hired by Symantec conducted a small-scale experiment in which he “lost” 50 smartphones in a few big cities. Loaded with tracking software, the phones had some made-up personal and corporate data to try and determine what the people who found the phones would access. Carried out in late 2011, the test gleans into what really happens when you lose an unsecured smartphone.
The test was carried out in Ottawa Canada, New York City, Wachinton D.C. Los Angeles and the San Francisco Bay Area. The devices were lost in fairly typical places such as malls food courts, elevators, taxis and bus stops. The devices had no passwords securing them making the finders able to access anything they like with ease. Juicy fake corporate documents were also on the devices, containing names like “HR Cases” and “HR Salaries” what good Samarian could resist a little look-see? I should note that trying to gather usable information on such few data points (50) can make for error-ridden results, but will definitely point out general trends in behavior.
Of the 50 smartphones in the test:
- 48 phones were accessed by their finders
- 45 phones were accessed for personal data or apps
- 42 phones were accessed for corporate data or apps
- 23 phones had their corporate email accessed
- 35 phones were accessed for both personal and corporate data
- 25 phones were returned by finding the owner in the address book
- 26 phones had their “HR Salaries” file accessed
- 20 phones had their “HR Cases” file accessed
- 24 phones had their “Remote Admin” app used
- 36 phones had their photos browsed
- 21 phones had their online banking app used
- 30 phones had their social networking apps used
- 28 phones had their “saved passwords” app used
- You generally have a 50% chance of your phone being returned
What they’re presenting in no more surprising than if someone lost 50 wallets and could somehow track which items were read. Human curiosity is a far cry from corporate espionage or someone desperate enough to look for any valuable secret to sell.
I see articles all the time written about how it’s possible to lift personal payment information from a factory reset used Xbox, or how most photocopiers keep an archive of every thing they’ve ever copied on a hard drive. Thankfully, security is a core element of BlackBerry platform’s design.
This data might be making your CIO sick but keep in mind, anyone on a BlackBerry running BES have their device locked down with a password and a how-to return message displayed on the lock screen. I also find that BlackBerry Protect gives me total peace of mind as far as security goes. The real risks of data breaches have more to do with the sum of what the data is and who has access to the data.
I like how this test was done, it makes you realize that an unsecured device is no different than a lost pad of paper containing loads of personal details. Thankfully security is a top design priority for BlackBerry smartphones and tablets. To read Scott Wright’s report on what happens to lost unsecured devices, click here.