Do you have a smartphone? If so, is it encrypted?
Smartphones (and / or tablets) like the iPhone and various Andriod phones have offered the option to encrypt the phone for some time now. I’ve been a big fan of this for some time and have a number of clients that routinely store sensitive information (emails from clients, documents, photos, etc.) on their phones or have VPN access to their offices on their phones that also make extensive use of the encryption options available. It’s always been hard though to get folks that don’t know that they have sensitive information on their phones to encrypt them though because it’s perceived as an extra layer of complexity without any real benefit. That may no longer be the case though. According to this article over at F-Secure, several officers with the California Highway Patrol recently got caught stealing nude photos from DUI suspects phones and trading them with other officers and, according to the article, they’ve been doing it for years. The article uses this as an opportunity to encourage people to protect their phones with a passcode but, the reality is, that’s very little good if the officer has physical access to the phone and a little bit of tech know-how. If the phone is encrypted though, that’s a different story.
If you have a smartphone that includes an option to encrypt it’s storage, use it. It will be a bit of a pain to enter the pin every time that it boots and every time that you have to unlock it but, if it falls into the wrong hands, all of the information on it will be encrypted and unavailable to whoever has it. Before you say that there’s no pertinent information on it though, some things that a lot of people don’t consider important are:
- GPS History. Most phones keep track of where they (and, by extension, their owners) have been. The most popular place is likely going to be your home and your work.
- Notes. Most phones include an ‘app’ to keep track of information. Many people use these apps to keep track of things like passwords, alarm passcodes, account numbers, etc., so that the information is sync’d between all of their devices (think Dropbox and Evernote). If an attacker gets your phone and can easily access your Dropbox or Evernote data, what would that give them?
- Contacts. Many people have a significant list of contacts in their phones, many categorized by relationship type (friend, family, co-worker, vendor, etc.). With some very basic social engineering skills, that can be VERY handy for an attacker. Imagine getting a phone call from Bob with Acme Co (who is your alarm company, a vendor, according to your Evernote) who needs to confirm that your pin code is 1234. When you confirm, Bob asks for your secret word (which isn’t in Evernote) to authenticate you.
- Emails. Is your corporate email sync’d to your smartphone? What would happen if you emailed your boss with some choice words? What would happen if you did the same to your clients or, more importantly, what if an attacker sent a malicious attachment to all of your contacts disguised as updated contact info for you?
- Pictures. I’m hoping that you’re not taking nude photos and storing them on your phone (which are then backed up to the cloud, etc.) but, if you are (and that’s your business), anyone that can put their hands on your phone can put their eyes on those photos. Sure, most people aren’t going to have access to your phone and most wouldn’t browse through them if they did, but I suspect that most if not all of the people whose private photos were traded by the CHP thought that it wouldn’t happen to them too.
In most cases, encrypting your phone is free, easy and relatively transparent to the legitimate user once it’s finished and it’s incredibly comforting if your phone is ever lost or stolen to know that none of the information on the phone can come back to haunt you later on. If you have a smartphone and aren’t sure if it is encrypted or if it can be, we would love to help.