The Afterlife of Devices

How You Can Improve Your Device Authentication and Avoid Trouble After Your Personal Device Is Lost

How You Can Improve Your Device Authentication and Avoid Trouble After Your Personal Device Is Lost?

What if it gets lost or stolen? This is the question we usually ask ourselves when buying a smartphone or tablet. We should also ask this question every time we install a banking app, set up corporate email on mobile or text our loved ones.

Recently, Symantec conducted an interesting study in the field of smartphone security. In the course of a study 50 smartphones, which were intentionally left unattended in a number of different environments such as elevators, malls, food courts, public transit stops and other heavy trafficked locations.

Of those ‘lost’ devices, 96% were accessed by their finders. In more than 80% of instances the finder accessed various apps looking for personal and corporate related information of the original owner. Only 50% of finders made an attempt to contact the owner of the device.

"<yoastmark

Risks and Mitigation

So what are your risks if your phone is in 50% of those never returned to the legitimate owner?

Photos and videos from the phone gallery are probably the most infamous nightmare of the lost or stolen smartphones. The media attention usually comes with the nude photos from the phones of celebrities. Scarlett Johansson, Jennifer Lawrence, Angelina Jolie, even British Prince William were among these high profile victims.

"The

The stylized graphic depiction of Scarlett Johansson by Hungarian artist Thubakabra. No, this is not the photo that was stolen from Ms. Johansson’s phone. See the original work at DeviantArt.

The best remedy against having your nude pics exposed is not storing them on your device to begin with. Not storing of course does not delete other copies of the picture from existence. It might still be stored by your service provider and (for sure) by its addressee. Nevertheless, not having it on your device already saves you from a number of troubles when the device is lost.

Still, sometimes you need an important picture or document on your device and want to make sure it stays safe if the device is lost. Consider using on-device encryption solutions like Vaulty for Android, or Media Vault by Hideez for this purpose. It is important that the application you pick actually uses encryption to protect your data.

"Jefferson

Jefferson Disk — the message encryption tool before WhatsApp. The disk was invented and used by Thomas Jefferson, the third President of the United States. Image by Wikimedia

Then, there are also cross platform apps like Hidely. These apps export photos directly from the camera inside their insulated ecosystem. It requires your contacts to install the app in order to view the photo.

In Identity We Trust

Another primary target in case of a lost device is your identity. In 2013 a cab driver from New York City started using the OKCupid profile of Nadav Nirenberg — a musician from Brooklyn who lost his iPhone in a cab just day before. The rogue driver was making romantic proposals to people from Nadav’s network.

The OKCupid profile of Nadav Nirenberg. Screenshot published by the Huffington Post.

The OKCupid profile of Nadav Nirenberg. Screenshot published by the Huffington Post.

The story ended up with a funny but happy ending: Nadav recovered his iPhone and dating profile. He pretended to be a woman interested in a date. He then went out for a ‘date’, which resulted in a returned iPhone and an embarrassed cab driver. However, not all stories like this one have a happy ending, and not all finders of your device are naive enough to use it only for dating websites instead of rushing to extract cash from your banking account.

The best remedy against identity theft is changing passwords for all the major online accounts and recalling access for apps installed on your lost device. Google, Facebook, Apple, Twitter and many other popular online services are now allowing you to quickly do this.

If you have a profile on any of the social networks: writing a post mentioning that your device was stolen might be a good option — it will let your contacts know about this and be prepared to react accordingly if contacted by the identity thieves. Actually, this is a tough lesson BBC journalist Ed Stourton learned in 2013, when his cousin called to tell Mr. Stourton his account was hacked. The hackers were sending emails to Stourton’s friends and relatives, asking for a ‘quick loan’ after an alleged ‘armed robbery’.

Report It Fast

Banking data and corporate emails are also primary targets when your phone is lost. However, in this case, your duty as a user is to report the loss of the device to your bank and IT Security Department or just an IT person of your employer, as soon as possible.

Notification about lost device allows your bank and employer to prepare for possible intrusions and partially shifts the burden for the consequences. In the case of an employer, things might get embarrassing. However, it’s better than being embarrassed by a massive hack of your organization, which will be your fault if you do not report the loss of the device in time.

Is Passcode or Access PIN sufficient?

So by now it should obvious that having some end customer authentication on your device is better than having none at all. You should definitely set it up. If you haven’t done so already,. now would be time. Let’s look through the nuances.

The street thieves or dishonest cab drivers usually aren’t hackers. Quite often they will simply erase all the contents of your phone, restore it to the factory settings and then try to sell the device quickly. With the new generation of devices, both iOS and Andriod require the owner of the device to deauthorise it before setting up a new owner.

This improvement is useful for the previous owner, as the device must be connected to the Internet in order to perform the authorisation of the new owner. If you sent a remote wiping command using Android Device Manager or Find My iPhone app, the command will reach your device for sure at this moment, and the device will be wiped and blocked.

Even the most sophisticated hacker will need at least several minutes to bypass device authentication, depending on how reliable it is. This will buy you precious time to cry for help, call the police, block your banking account from another phone or sound the alarm to locate your device and thief visually using the same Android Device Manager or Find My iPhone app.

Ok, so what if the thieves or attackers were targeting not just your phone but rather the information that’s on it? That’s where we discover why storage encryption matters, and that not all device authentication mechanisms were created equal.

Device Authentication that Lasts

The most obvious forms of authentication are lock patterns for Android, passcodes for iOS and device passwords for Windows and Mac OS.

Lock patterns are the weakest authentication mechanism. Recently a group of researchers from the Northwest University of China published a study, explaining that 95% of lock patterns can be cracked within the first five attempts that the Android system gives its user before initiating brute force protection, i.e. locking the user out temporarily after 5 consecutive unsuccessful unlocking attempts. So lock pattern is definitely a bad choice if you’re planning to protect some sensitive information on your device from a professional phone hacker.

Initially used by iOS platform, passcodes are better, especially if they’re longer than four digits. By the way, do you know that a passcode can have custom numeric length or be alphanumeric, i.e. consist of numbers and letters? To set up a custom passcode press the ‘Passcode Options’ button when changing your passcode.

However, note that alphanumeric passcodes might be an inconvenient option for people with an active lifestyle as they require a full keyboard for input. Smaller key buttons of the full keyboard are more difficult to operate during rain, snowstorms or other harsh weather conditions, requiring immediate access to your iPhone while your Touch ID refuses to function because the ‘Home’ button of your device is covered with moisture.

White Mobile Apple iPhone

Also, even very complicated passcodes and passwords can’t save the customer from the risks of covert or open video recording with subsequent finger movements analysis. As the aforementioned paper by the team from the  Northwest University of China explains: this can be achieved for a relatively low cost.

The Solutions That Will Stand

The most reliable solutions depend on hardware second factor, combined with biometrics. The mass market platform vendors like Google or Apple haven’t yet rolled out their combined solutions: Apple’s Touch ID replaces the passcode instead of augmenting it. ‘Unlock with Apple Watch’ feature is the closest hit — a device running watchOS can be used to unlock your Mac, while the watch stays on your wrist and is ‘unlocked’ by a separate passcode. However, as of now customers cannot unlock iPhone with their Apple Watch and unlocking on Mac requires WiFi connection.

The closest mainstream solution on Android is built in iris scanning camera for Samsung Galaxy Note series starting from Note 7. Galaxy users can now use their eye iris to log into their phone. However, the iris recognition on Note 7 was almost instantly exposed as unreliable by Jan ‘Starbug’ Krissler, member of the famous Chaos Computer Club.

To prove his point, Krissler used Google’s own creation named Google Image Search to locate high resolution photos containing eye retina images of famous politicians. If Samsung used hardware second factor in combination with biometrics — the combined system might have been more difficult to hack.

Just an ordinary Google Image Search and a Wikipedia article (like this one about the Chancellor of Germany Angela Merkel) might give a hacker a photo of the retina, which will be sufficient for hacking many commercially available iris scanners. Photo by Ricardo Stuckert, Agência Brasil published under Creative Commons Attribution 3.0 Brazil License.

Just an ordinary Google Image Search and a Wikipedia article (like this one about the Chancellor of Germany Angela Merkel) might give a hacker a photo of the retina, which will be sufficient for hacking many commercially available iris scanners. Photo by Ricardo Stuckert, Agência Brasil published under Creative Commons Attribution 3.0 Brazil License.

Therefore, no matter how sophisticated the end customer authentication on your device — it’s always better not to store a copy of the critical documents or media on it, if you really don’t want them to be accessed by somebody else in case your device is lost.

Your Privacy v. the Ease of Returning a Device

Now you know some nuances involved with protecting your privacy and will probably make sure your device is a digital fortress. You’ll make sure all the sensitive data inside it is safely protected from the prying eye by the stone walls of encryption and passwords. However, what if a person temporary owning the device you have lost, is not a criminal? What if she or he is a good faith citizen who just wants to make sure you have it back?

The Good Samaritan (1880) by Aimé Morot. Reproduction by Wikimedia.

Good samaritans of the cyber age track the legitimate owners, and then make their best effort to return the device. For example, community members of camerafound.com website track the owners of lost digital cameras by the pictures that were left on the storage card. Other samaritans track owners of smartphones, tablets and laptops that were forgotten on board of commercial airplanes. Some do so, even after a distressed and mentally unstable owner threatens to file a police report for no good reason after being contacted regarding the lost property.

CameraFound.com helps locate owners of the lost cameras

So how do you, the reasonable owner of the lost device, help good samaritans return your device without compromising your privacy and security?

An iPhone or an iPad with iOS 8 or higher and a passcode enabled will display an ‘Emergency’ button in the bottom right of the passcode screen. The emergency screen in turn will have a ‘Medical ID’ button also in the bottom right. When pressed and if set up properly, the Medical ID shows owner’s photo, name and various medical information, including blood type, weight, height, allergies and reactions.

If you have at least some presence in social media networks and set up the Medical ID on your iOS device properly, your name and picture from the medical ID should be enough for a diligent and tech savvy person who found your Apple-manufactured device and has good faith intention to return it.

A Medical ID on Apple iPhone — set it up to let a good cyber Samaritan locate you without having to hack your device in order to get your contact information.

In the case of the Android, things get a little bit more complicated. Still, depending on your Android version, you might be able to set up ‘Emergency Contacts’ with direct access from the locked screen by using ‘Security’ > ‘Owner Info’ menu. There are various alternative ways of doing it. You can find your favorite by using ‘Android emergency contact’ search query in your preferred search engine.

An Old Good Dog Tag

What if your device is found by a fisherman from West Sussex inside a fish he recently caught? The device might not be functional, or the person who found it might not be well versed in smartphone platforms. If you use the protective or decorative case for your device — the best solution is a dog tag, which should be located between the case and the device. The term ‘dog tag’ was invented by the military. It’s a metal medallion with a necklace or pocket clip, that’s been used for centuries to identify soldiers who perished or were wounded in action.

If your phone comes with a detachable battery, a battery compartment is another good place for a dog tag. It’s better to place the tag between the battery and the battery compartment cover, not between the battery and the main case of your device. This increases the chances for the tag to be seen when somebody opens the battery compartment. It also minimizes the odds of a battery malfunction.

A plain piece of paper with your name, phone number, email and postal address written on it is not the best option. Remember the fisherman from West Sussex? Better use a durable water resistant material like plastic, from the used folder or plastic bottle and a permanent marker. This solution is slightly odd, but it’s saved devices containing important data in many instances.

It might be also useful to scratch the letters and numbers, so that the text stays legible even if some chemical (like the contents of a leaking battery after the phone smacked against the ground or was hit by something heavy, like a car tire) washes away the ink. Classic army style dog tags are also good for this job. However, the metal might interfere with the antenna unit of your device, or might be too thick to fit inside the battery compartment without causing trouble.  

How Does Hideez Help?

Please remember that every system can be hacked. That’s why even FBI Director James Comey has his laptop webcam taped. This does not necessarily mean that every system can be hacked easily and cheaply. That is why we never claim that Hideez customers are unhackable. The Hideez team only does its very best to make hacking our customers difficult and expensive.

In a crisis situation a lot depends on the attentiveness of the end user, and their critical thinking. Your privacy and chances of having the device back depend on the homework you did before the event occurred. If done properly and in time, these simple steps will be helpful.

Hideez Key uses a number of technologies which makes sure your device will have a better ‘afterlife’ when lost. The first technology is a presence-based authentication. It allows you to use very complicated passcodes or passwords, making sure you won’t have to enter it each time you need to use your device.

At the same time, if somebody wants to log into your device without your knowledge — they’ll have to crack not just a weak swipe pattern or four digit PIN, but a long and difficult combination of letters, symbols and numbers. That is, assuming you set it up before losing your device.

Hideez Key also lets you keep all your credentials, such as passwords or digital signatures, on a single external minimalist storage which is too small to contain trojans or viruses and which does not have an Internet connection to be hacked online.

Therefore, even if your first line of protection, i.e. access codes or device passwords, is hacked, the hackers will still have no access to your sensitive information because it will stay inside your Hideez Key, not in the memory storage of the device. An important detail is that Hideez complicates unauthorised reading of information from the memory of the Hideez Key. Therefore, even if you somehow lose your main device and Hideez Key together with it, the person who found both devices will have to guess your Hideez master password to be able to extract any sensitive data.

Author: Gennadiy Kornev

Marketing and Product Advisor of Hideez Technology, content distribution systems architect, project manager, tatko

No Comments

Leave a Comment