Smartphone Lost or Stolen 2
When you lose a smartphone, all sorts of personal and proprietary data may become available to the finder/thief. Recently, a friend had a smartphone that I’d given to him stolen, so some of my personal and proprietary data may have been on that device still. Below I’ll attempt to outline what we should have done. This is very much a work in progress, but my quick searches for best practices smartphone loss returned nothing current or useful to an average person.
There was lots of best practice information for corporate devices on the internet. Buy this add-on for policy management, password complexity mandates, whole device encryption. None of this will help a soccer mom or a small business traveler overseas. We’ll try to work through what normal people can do to protect their devices, their data and make a lost or stolen device nearly useless to a thief.
A smartphone today is more powerful than a desktop computer from 10 years ago. This means these are extremely well-connected and valuable devices for you, me and thieves.
Let’s get started. I can’t ensure that any of these features or techniques will be available on your device or in the operating system that you phone runs. I’m only familiar with GSM phones, not what Verizon or Sprint use. Apple devices are a complete mystery to me. Do your own research for your device’s capabilities.
Pre-Loss / Pre-Theft Things
Before you have a loss, and most people will, there are a few steps you can take to make your data and accounts more secure. Some are easy, others are difficult and others will not be possible on all devices. Some will be a big hassle, constantly to leave enabled, so many people will disable them or never try them at all.
Backups
Backups aren’t just for recovery and device failures, but to ensure that data isn’t only stored on a small, portable, device that may disappear in a taxi or over a meal. Once your device is lost, not having access to the data is just salt on the wound. Having that data available also provides you a list of all the contacts, passwords, files, proprietary and personal data that has been compromised.
Off device backups are step 1 for any security solution. I know there are solutions claiming to backup the data. I’ve used a few but never found that they really backed up everything on the device. For my sanity, I want something like a system image (Ghost, PartImage, etc), not just a copy of files the backup tool thinks are important. I want everything.
Pin Lock Boot Access – Cell Phone Access
On the smartphones that I’ve seen, it is possible to force a PIN to be entered before the device will boot or any phone calls can be made (except 911). This can buy you time immediately after a loss or theft to change access codes and cancel the phone account with your provider. It is also a big hassle all the times you want to make a call. I’ve never used a PIN lock. I probably should.
Quick Password Locks
There is a setting in Android that controls how quickly the screen locks and requires a password or pattern to be entered to get back into a phone. 2 minutes is a common setting, but I found even that to be annoying. Still, I left it enabled.
Force Use of a Password Manager
On Android, there is a workable Password Manager that reads KeePass v1.x encrypted files. The interface is a little clunky, but it does work. I’ve been using it for about 4 months. The program locks access to the password DB after 30 seconds (configurable) and I found that acceptable on a portable device.
Encrypt the Device, if possible
There are 3 kinds of storage on these devices.
- Internal SD
- External SD
- External USB
Recently, I’ve seen where Android 3.x and later supports device encryption. I’ve heard, never used, that iPhones will encrypt the on-device storage if your access pin is over 6 characters. 4 character pins do not encrypt storage.
GPS “Home” Setting
Never set your real “home” to be the home for the GPS. Use a large intersection nearby instead.
Contacts / Owner Setting
The android phones that I’ve seen have a place to put “owner information”, use that for a phone number or email account. Hopefully, an honest person will find your device and contact you. I was not so lucky. A not-so-nice voicemail was left on the contact phone number for my device. That number is not easily traced to my name or my address. Using a work number is probably a good idea.
Stop Auto-Login and Auto-Connects and Auto-Check-ins
Being able to automatically connect to google, facebook, twitter, IRC, Dropbox, SugarSync, etc … is really handly. It is also fantastic for anyone who gains access to your smartphone. They get access to more personal and possibly company data located on these services.
Disabling the auto connection is a hassle, but it will also provide a little protection for this off-device data.
My phone had a sugarsync connection, some of the data there was sensitive from a corporate standpoint. Fortunately, I only had read-only access to the data from others and never placed my stuff there. On the other hand, I had to let those other people know that there was a breach and the data we shared may have been made public. Not good.
Google really wants us to automatically connect and doesn’t really let us have control over that aspect of the Android platform. If the screen isn’t locked, then whoever holds the device gets access to your google gmail and may get access to your other google services too. Google has been pushing the use of SMS to access Google as another way to protect your accounts with them. What happens after the device that receives the SMS is stolen?
Install Tracking Software
Paid software like “Prey” is available for laptops and smartphones to help with recovery. The $9 cost is pretty small when compared to how it can help you recover your device. I’ve seen reviews for different software of this type. I’ve never used any of these.
The home-page on my device was set to an internal web page on a server that only I know about. Any access that isn’t from me, is from someone else by definition. An IP address is not a person, but it can get pretty close to an address with the help of police and reverse IP lookups. For a time, google had an IP/address lookup feature. I haven’t heard about it in a while. There were privacy concerns, as I recall. For my lost device, there weren’t any logs of access to that webpage, so that means they didn’t blindly open the web browser while connected to a network.
Some of these tools will enable GPS tracking too – which can lead you and/or the police directly to your lost device. It is probably a good idea to not do this alone and only in a very public place with security easily available.
Install Remote Photo Snapshot Software
Having the photo of the person using your lost device will go a long way to recovering the device. It may provide information on the location – a coffee shop, home interior, etc.
Install Remote Wipe Software
This is more for the corporate users, but I suspect remote wipe software is available for home users too.
Post-Loss / Post-Theft Things
Ok, so your smartphone is gone, after get over the loss, you need to take some actions – quickly.
File a Police Report
This opens the door for all sorts of help from different providers. Sure, it is a hassle, but if someone doesn’t contact you quickly about your “lost” phone, it is now stolen. In a different country, it can also be a priceless experience for your travel logs. A good story, is priceless.
Contact Cell Company, Disable the SIM (or phone number)
Contact your cell provider and be very clear that the phone and/or SIM were lost or stolen. Be careful that they may try to disable all your devices (spouse and/or kids phones) too. Don’t let them. I heard of someone reporting a stolen phone, but they’d removed the SIM from the device prior to leaving their country, so only the device was gone. The cell phone number was not at risk in any way. The cell company disabled all his accounts immediately because the customer service rep didn’t understand that the SIM and device were 2 different things.
Contact Your Provider and have them black list the phone’s IMEI
The IMEI is a unique identifier for every GSM phone in the world. It is hardware-based. There is a central database that is shared by cell phone operators world-wide to make stealing cell phones useless. In theory, a stolen phone cannot be used anywhere in the world, though this is probably wishful thinking. The Central Equipment Identity Register Your cell service provider will need to make the entries into the DB.
Change All Passwords
Make a list of all the passwords used by the device. All of them. Don’t completely trust encrypted data. If you have a recent backup, you can start with that list. As a starting point, change these passwords ASAP:
- gmail
- Secondary and tertiary email accounts
- foursquare
- amazon and other online stores
- Netflix, Hulu, ….
- banks, brokerages, retirement
- voice mail
- web site logins – forums, blogs, services
- dropbox, sugarsync
- VoIP accounts
- and remote access accounts – RDP, VNC, ssh
- VPN keys – let the admin running the VPN know
You will have others, perhaps many others.
Notify Everyone of the Breach
Whatever data you had on the device must be assumed to be in other people’s hands.
- Cached websites
- Cached emails
- sent emails
- SMS messages
- files, music, videos, photos
Hopefully, you encrypted all the storage on the device. After the fact is too late. Now you need to let everyone know that any private or proprietary data you had on the device is out there.
Your Device is Gone.
Get over it. Learn from the experience. Get on with your life, travel, work. I’ve seen a person behave almost neurotic over the loss of a smartphone.
My Experience
I was in a foreign country with an Android smartphone given to me by a friend. It was setup with GPS and maps with POI and lots of planning data for the many different cities and places to be visited. There was no SIM in the device, since I didn’t want any undesired phone charges while traveling, that was pulled and sat in a hotel safe. WiFi access was it. All the data was stored on an external 16G Class 10 SDHC card. Nothing was encrypted and only a gmail account was connected to the device. No important email accounts were on it, no twitter, no facebook, no other social networking. Since I was overseas, I was on a little higher alert and tried to ensure no sensitive data was stored on the device. I don’t know how good my attempts were, just that I tried. My KeePass DB was on the device.
I copied all the internal data to the external SDHC card, the day before the device was stolen. I’d pulled the external SDHC card out and removed my gmail profile from it. Then I looked through the internal SD storage for data to be removed and manually deleted it. Since I was returning the phone to a friend, I wasn’t too worried about some of the data remaining on it; like the GPS favorites and maps for the countries we’d visit. I may have left my skype account on it with an automatic login enabled. I don’t recall, but there haven’t been any skype calls made with that account. Then I did a device wipe using the built-in tool. It was an unlocked phone and rooted Android OS. Formerly, it was on the AT&T network, but I’d been using it on T-mobile with a pay-as-you-go SIM the last few weeks. The cellular data was disabled.
I suspect the device was wiped of my data well enough to not be an issue, very little if any of my stuff was leaked, but it definitely has my contact information, along with 500+ other people from my friend’s contact import. Wiping a smartphone doesn’t really wipe everything.
After looking through all these steps, I’m pretty certain that whole device encryption would have been less of a hassle and would have protected my data better. I’m torn on whether to encrypt the external SDHC card(s) – that could be a major hassle when moving data in and out of the device using other equipment. I routinely pull the SDHC card out and put it into a PC for faster copies. The USB connection is 20x slower, at least. A little testing will be needed before a decision is made.
When on vacation, a smartphone should be a convenience and shouldn’t get in the way of enjoying your time away from home and work. Don’t forget to make some memories with your family and friends too.
I’m fairly certain something easy and important is missing. Let everyone know in the comments.
Yeah, with as much personal info as smartphones contain, it’s amazing how few lock them down.
Personally, I think remote lock and wipe are the two most important features for a smartphone simply because of how much important information is on there. Maybe it’s my pessimism, but even with remote locate I don’t count on being able to recover my phone so locking and wiping it are more important. There’s plenty of apps that can do all three ranging from free (F-Secure Antitheft for Mobile), one-time fees (Where’s My Droid), to annual renewals (WaveSecure, Lookout, and plenty of others). Hopefully Prey will add remote wipe soon. Until then the only FOSS tool I’ve found that can do it is OpenMobster, which is corporate-oriented and not meant for your average user. Still I plan on looking into implementing it so I have full control over what’s going on on my phone. Even better would be for Google to release a way to do this in stock Android, considering as how both the iPhone and Windows Phone 7 have the capabilities to remote lock and wipe through stock tools without an Exchange Server…
As for dealing with Auto-Login and Auto-Connects and Auto-Check-ins for things like a setup gmail account, which, like you said, Google makes quite hard to stop from being automatic, you can use things like Android Protector which add a passcode to using those apps. That way even if they are auto-logged in when launched, there’s still a password prompt (one you set up). Probably too much work for most people, but even if just setting it up for when you are on vacation instead of your usual routine could prove to be useful.
Good points @Defron and thanks for listing the other programs.
In my case, the cell phone wasn’t on a data plan, so waiting until it was wifi connected would be the only way to get a remote-wipe to happen. When overseas, it didn’t even have a SIM inside.
No Monthly Plan
There is good news in this story, at least for me. The Android device didn’t cost me anything and I’m not stuck paying for a monthly data plan that I can’t use.
I will admit to looking at $100 and less pay-as-you-go Android phones on walmart.com for a replacement, but there is no hurry to replace it. Android isn’t that compelling to me.
Android Tablet, Google Play, and Hotel Port Blocking
Actually the only real use I have for an Android tablet, as a portable remote access tool, failed completely on a recent overseas trip to 5 countries. The hotels all blocked non-standard, VPN and ssh ports. I would have been better off taking a clunky netbook where I could have figured out which ports were open and closed easier. Google Play works differently when overseas too. Many apps that are available to download here were not available their. I needed to reinstall a corrupted gmaps and couldn’t. The app install was blocked in 2 different countries. A GPS app, NavFree, wasn’t able to be installed either. I think this was a hotel port blocking issue. It failed in all 5 countries.
N800, how I missed you
In the meantime, my trusty N800 still works great with full-sized SDHC memory and all the bash and perl scripts I’ve written for it. Music, podcasts, GPS, video, email, RSS, web browsing are all included for $0.
Every time Nokia releases a new N900-like device, I take a quick look to see if I can wipe the crap OS they are pushing now for something useful to me with a real POSIX shell and thousands of GPL programs while not requiring a $600 investment PLUS a mandatory data plan. It has been a disappointing few years for me. ;( The N800 is far from perfect and definitely has issues, but at least it works and feels like Linux at the core. Gaining root access isn’t a big deal at all. There is just a little warning that you really need to know what you’re doing.