Mobile Security Achilles' Heel: Employees Won't Report A Lost Phone For A Very Long Time

Say you're a retailer whose associates use iPhones or iPads in-store to help customers check inventory or check out. Now suppose a tablet goes missing. How long will employees wait before reporting that it's gone? If it's more than a few minutes, you have a problem.

Last Wednesday (Feb. 9), two German security researchers said they've developed a way to strip a stolen iPhone of most of the passwords stored on it in about six minutes—even if the phone is encrypted. That's so fast that a phone or tablet could easily be stolen, stripped of data and returned before its owner even notices it's missing.

Worse still, employees aren't inclined to report a missing device instantly. That's just human nature. They'll probably go looking for it first—and if that search lasts as little as 10 or 15 minutes, the passwords and other security-related data on it could be long gone.

The security researchers, from Munich's Fraunhofer Institute for Secure Information Technology, said they used widely available software tools and a Windows PC to jailbreak the stolen phone and then run a small script that collects encrypted passwords. But they don't have to break any encryption themselves. "The decryption is done with the help of functions provided by the operating system itself," they wrote. "An attacker would not need to know the user's passcode, nor would he need to exploit new vulnerabilities to reveal these secrets."

In other words, the data theft happens so quickly because it uses the iPhone's own operating system to do the heavy lifting. From a passcode-protected and locked iPhone with no other vulnerabilities, they were able to extract passwords for company Wi-Fi and VPN, E-mail, voicemail and Google Mail, among others—all without visibly damaging the phone, and all in about six minutes.

Clearly, it's time to rethink how you deal with lost equipment. By definition, smartphones and tablets aren't nailed down, the way traditional point-of-sale equipment is (or should be). How hard is it for a thief to palm a mobile device while an employee is distracted, walk out the door and into a McDonald's or Starbucks a few steps away, hack the mobile device in minutes and then slip back into the store and casually leave the device where it will be found?

By that time, the employee may have noticed the device is missing—or is it just misplaced? If it only takes six minutes to grab a group of potentially useful passwords, an employee can spend 15 minutes searching for the device in the time a thief can steal, hack and return a smartphone or tablet.

A few weeks ago, a colleague here at StorefrontBacktalk had a conversation with a very senior IT exec at one of the larger chains and the subject of mobile security came up. The exec was unconcerned because, as he said, "We remote wipe those phones the instant we learn of it." No doubt that's true. But the first thing thieves do when they steal an iPhone is to remove the SIM, so a remote wipe becomes impossible.

Besides, wiping a phone only works if you believe employees will alert IT the instant a mobile device turns up missing. That's simply not the way people function.

You know that employees will search for a few minutes at least.You know that employees will search for a few minutes at least. Nobody wants to cry wolf—and generate a lot of help-desk and security paperwork—for a phone or tablet that was merely mislaid under a stack of loose papers.

Worse still, you know that when the device is found, everyone will assume there's been no foul play. After all, the device is physically undamaged and it seems to work fine. And who wants a lot of paperwork to have equipment checked out when it was probably just lost for a few minutes?

That optimism is just human nature. (Well, human nature combined with a desire not to have lots of paperwork and a bad report in the employee's file.) But it also means you could have an undetected loss of passwords—and a hacked iPhone or iPad that's potentially being used to process payment cards or access your retail systems.

(While Apple's iDevices have their security problems, there's no guarantee that smartphones or tablets using other operating systems will be safer, according to the researchers. They just didn't try their fast-break-in approach on any other devices.)

This is an obvious application for Apple's recently patented technique for detecting phones that have been tampered with. Unfortunately, it's not available yet. Meanwhile, those German researchers aren't publishing exact how-to-do-it-yourself details of their exploit. But collecting the necessary software and duplicating their feat won't be that difficult. The threat is real.

Fortunately, there are practical measures that help deal with the threat. You're a retailer, which means you have antitheft technology. Cementing an unsightly security tag to the device makes it harder to sneak out of the store and less desirable to steal for resale.

Requiring that every device that goes missing, even briefly, be checked for tampering is a good idea. That shouldn't require returning the device to the corporate office. The bad guys use scripts that can be run automatically to break into these devices; you should use scripts that can check for telltale signs of tampering.

An even better idea is to check all mobile devices for tampering each day, whether they've been reported missing or not. Checking those devices regularly also gives central IT the chance to do software updates and confirm what's actively being used from each store's device inventory. Daily is too often? Then make it weekly—but remember, you're weakening your security, too.

There's a side effect of implementing highly visible new security like antitheft tags and regular device inspections: Employees will notice and, for at least a little while, they'll be more security conscious. That's human nature, too—and those human associates are still the best way to keep mobile devices safe.