I try to space out my InfoSec posts, I really do.  I realize the subject matter doesn’t always have the broadest appeal.  Rivet City isn’t my personal IT security blog.  I mean it kind of is, but not really.  There are other things I’m in to, other things I can write about within the nerdy realm, I’m not a one trick pony.  That said, events in my personal life the last few weeks have compelled me to write about mobile security again.  This time, I’m not talking about some deeply nerdy thing like rooting your phone.  This time I’m talking about something literally EVERYONE should be doing.  Yes that means you.

One Trick Pony
Google Image Searched “one trick pony”, was not disappointed

Everyone should secure their smart phone.  Your smart phone is a weapon in the wrong hands.  Most everything has a mobile app/interface these days, your bank, airliners, work applications, the list is endless.  Your phone allows someone to pose as you to your friends, family, coworkers, and enemies.  Your phone contains who you know and how you know them.  Your phone contains a history of your text conversations with everyone from Grandma to your mistress.  Your phone shows how often you drunk dial your ex.  Your phone is a window to your very identity and that is always worth protecting.  You have secrets, and you may not realize it until they’re not-so-secret anymore.

Sam Jackson -- Say, "I've got nothing to hide." Again...

There are a lot of prying eyes to worry about, friends, family, partners, children, coworkers, students, teachers, parents, the police, really anyone that’s not you.  So lets talk about the most common sense thing you should be doing to protect your phone: Lock it,  You should lock your phone, most platforms have several options for this.  I’m going to tell you to choose the most boring a password.  Not a PIN, not a pattern, a full-on password.  “But Red……, my phone has facial recognition, voice recognition, and a fingerprint reader!”  No, No, No.

PINs are only numerical.  Even if you take it out to 8 digits and figure in the possibility of repeating digits it’s not difficult at all for a computer to extrapolate, then test all of the possibilities (i.e brute force).  I’ve known some humans that could crack the 4-digit parental control PIN on their parents cable box with a few hours.  A PIN is a plastic padlock, only stopping the laziest of intruders.  Fingerprint readers can be fooled using various molding techniques.  Facial recognition has been beaten by photos of the user.  Voice recognition can be beaten by audio recording.  Unless you frequently, thoroughly, clean your screen your unlock pattern can be seen clearly on the screen if you hold it at the correct angle.

You should be using a password, a strong password, just like you should have on your personal computer.  A password has inherit advantages over other authentication methods.  Due to less restrictions on length and greater options for complexity, a password is harder to brute force than a PIN.  As part of choosing a password you should choose to encrypt the data as well.  That makes it significantly more difficult for someone who has physical access to your phone to get at your data, not impossible, but it’s a significant roadblock.  This may seem excessive, but once it’s done you’re not working much harder than a pin/pattern, eventually your password will become muscle memory much like your other methods.

Passwords (and PINs) have an additional advantage worth mentioning, they are legally protected by the 5th amendment.  This reinforces my position that protecting your data also protects others.  Your data isn’t just about you.  Pictures and text message conversations are a perfect example of this.  Your partner sends you a nude, intending for it to be private between you and them.  Your phone is stolen, suddenly that private photo is on the public internet and maybe your partner loses their job or feels humiliated.  A close friend confesses a minor crime to you via text, a cop searches your phone for whatever legal/questionably legal reason, and suddenly you’ve given them evidence.  Now your friend is going to jail.

Another important security measure that goes along with locking your phone and understand the risks your phone poses to you and others is tracking services.  Both Google and Apple provide tracking and recovery services for free with their devices in the form of iCloud and Android Device Manager.  There’s even a third-party app that covers mobile and PC called Prey Project. These services allow you to: locate your device if it’s lost or stolen, force the device to ring in a loud annoying manor ignoring silent or vibrate, lock the device, or change the lock method remotely, and last but not least wipe it.  If you don’t think you can recover your device wiping it might be the best option, better your data be destroyed than fall into the wrong hands.

Implementing a password as your screen lock, encrypting your device, setting up tracking and recovery, and understanding the risks your technology poses are important in today’s age of technology dependence.

Leave a Reply