According to F-Secure Corp., 10 thousand smartphones are reported lost or stolen to the U.K. Metropolitan Police every month. Nonetheless, a recent Credant survey of London commuters found that 40% did not password-protect phones used for business. Large enterprises can afford mobile device managers to enforce passwords and wipe missing smartphones, but how can smaller employers deal with risks resulting from the theft of these convenient little time bombs?
CONSIDER ALL REMOTE PHONE LOCK OPTIONS
The first thing to do when a smartphone goes missing is to lock the device, deterring unauthorized access to stored data and applications (e.g., business contacts, email messages, portal logins). Hopefully, that lost device was already locked by an inactivity timer or power-on password. But statistics show that employers who don't enforce mobile device password use can't reasonably assume this is so.
A number of products and services let the administrator and/or user lock a lost smartphone, automatically or upon command. A smartphone may be configured to disable itself:
- after x-failed login attempts,
- if battery power falls below a designated threshold,
- if it fails to sync with a designated server after x-days,
- if its SIM card is removed or replaced, and/or
- when it receives a specially-crafted SMS or TCP/IP message.
When shopping for an automated or remote smartphone lock, think about who should be able to initiate the lock, under what conditions, and what credentials must be supplied. Do you want the user (and only the user) to invoke this lock through a self-service Web portal, or are you comfortable asking a service provider to lock lost devices for you? How will the device be configured to enable locks so they can be invoked when needed?
Furthermore, it's important to understand the data and applications actually protected by a remote lock. For example, carriers are often able to lock the SIM but not the entire device. Device-resident agents may be able to lock some or all of the data stored on the device, but not all can lock data stored on removable media. When remotely locked, can the device still be used to display a "return me" message or place an emergency call?
Finally, beware that some remote locks are hard to undo or intentionally destructive. If a user reports losing his phone but later finds it, can he simply enter his own password to unlock it again? Or will unlocking the device require an admin or provider-supplied PIN, or even a re-flash and restore?
SMARTPHONE GPS TRACKING FINDS LOST DEVICES
Many lost phones are never returned, but the ability to easily visualize a device's current location improves its chances of recovery. In the past, locating a smartphone wasn't easy. A device in "airplane mode" might never again connect to any network -- LAN or WAN. A smartphone that continues receiving email and SMS messages can be linked to a current IP address, but that tidbit offers little insight into its physical location.
Fortunately, two technology trends are making it easier to find a lost smartphone. First, most new phones support GPS functionality -- when enabled, GPS can supply the device's longitude/latitude. Second, many smartphones now support Wi-Fi -- when active, a wireless IPS or rogue-scanning AP can use triangulation to plot a Wi-Fi client's position inside a building.
Some vendors have already harnessed these technologies to provide geo-location tracking for smartphones. For example, end users can use Apple's MobileMe Find My iPhone service to view the approximate location of any iPhone running OS 3.0 software. IT administrators can use Absolute Software's Customer Center to map the historical and current location of Windows Mobile and BlackBerry devices within 33 feet.
Locationing can aid recovery, but there are still limits. If a lost device is never again turned on, its location cannot be detected. If a thief replaces a lost iPhone's SIM card, it cannot be found by MobileMe. If a smartphone is wiped, its resident agent, radio or GPS may be rendered inoperable. Some countries inhibit use of locationing technologies. Incorporate geo-location tracking within your antitheft arsenal, but learn the restrictions relevant to your workforce.
Lisa Phifer is vice president of Core Competence Inc. She has been involved in the design, implementation and evaluation of networking, security and management products for more than 25 years, and has advised companies large and small regarding security needs, product assessment, and the use of emerging technologies and best practices.
Send comments on this technical tip firstname.lastname@example.org.