You've lost your phone. You've called it and can't hear it anywhere in your house. It must be in a public place, although no one has answered it for you. What could be happening to your precious, expensive and most likely private information-containing device?
The Symantec Smartphone Honeystick Project set out to answer that question, intentionally losing 50 smartphones with a "collection of simulated corporate and personal data" on them.
Knowing that smartphones hold a whole host of information now -- everything from banking data to personal messages and images -- Symantec's Kevin Haley and Scott Wright from Security Perspectives, who was the project lead, wanted to find out what really happened to them when they were lost. Here are some factors what they hoped to identify:
- Likelihood of a finder attempting to access data on the smartphone
- Likelihood of a finder attempting to access corporate applications and data and/or personal applications and data
- Amount of time before a lost smartphone is moved or accessed
- Likelihood of a finder attempting to return a device to its owner
The 50 phones with tracking technology were "lost" in high traffic areas -- elevators, shopping centers, food courts, on public transit -- in New York City, Washington, D.C., Los Angeles; San Francisco, and Ottawa, Canada. The project found that 50 percent of phones were attempted to be returned to their rightful owner. There were also some interesting statistics of the intrusions on the found phones:
- 96 percent of the lost smartphones were accessed by the finders of the devices
- 89 percent of the devices were accessed for personal related apps and information
- 83 percent of the devices were accessed for corporate related apps and information
- 70 percent of the devices were accessed for both business and personal related apps and information
Delving more specifically into these statistics, the report states that on the corporate side 45 percent attempted to access corporate email accounts through the phone and 53 percent went into a file entitled "HR Salaries." On a personal level, 72 percent looked into private photo files; 43 percent tried to access private banking info; 60 percent attempted social networking sites and personal email access; and 57 percent tried to access a "Saved Passwords" file.
The researchers acknowledge that accessing some personal or corporate information could be to help identify contact information for the rightful owner, but they still said, even in cases when the phones were returned, some liberties were taken.
On average, it took 10.2 hours for attempted access to the device to be made, but the researchers note that the median time, based on actual access attempts was 59 minutes.
Haley offers two basic pieces of advice, in addition to a whole host of recommendations for corporations and individuals to protect their information. He says the most basic form of protection, which may seem like a no-brainer for some but should be reinforced, is password protection. The second is using the ability to wipe data from the phone remotely when it's lost.
[H/T PC World]