How safe is the data on your smartphone?
By Canadian SecurityFeatures Opinion
I will spare the reader a history lesson on computers, but I just want to say that we have come a long way from the advent of the first personal computer. Today’s mobile phones have thousands of time more processing capability, storage and functionality that that old IBM PC/XT. I know I am dating myself, but I am hoping it gives me credibility. The industry has finally developed to a point where we are taking security seriously on laptops.
My good friend Larry Keating is President and CEO of No Panic Computing, where for as little as $130 per month you can get a completely encrypted, totally secure, totally backed up laptop. If it is lost or stolen the data is not only encrypted, is it also remotely wiped and a new laptop shows up at your door with 100 per cent of your files on it. It is like you never lost a thing and you don’t have to worry about your data getting into the wrong hands. That was the good news. The bad news is that we are relying more and more on smart phones and tablets in our day to day work. The laptop is not going to disappear, but we are doing more and more on our smart phones. It seems like once we get the security right on something, then we have to move away from that and go to something less secure.
Let’s have a look at the iPhone. Apple’s total iPhone user base may reach as high as 100 million users by the end of 2011, according to Morgan Stanley analyst Katy Huberty. And to get into your iPhone you can set it to require a 4 digit password. It should come as no surprise to you that a lot of people use a lot of easy to guess four digit codes. In fact, the top ten codes are 1234, 0000, 2500, 1111, 5555, 5683, 0852, 2222 and 1998. If you have any of these codes, change it now. These ten codes represent 15 per cent of all user codes.
In other words, I have a 15 per cent chance of getting into your phone by simply using one of these pass codes. Then of course we have users that like to jailbreak their phones. This is particularly true with our younger generation. Why would one jailbreak their phone you ask? Jailbreaking can simply be described as disabling the security features on your iPhone so that you can do anything you want with your phone. From a security perspective, it would be like leaving your door unlocked on your house.
Law enforcement and organized crime are putting encryption on their smart phones for good reason. Just think of all the things you can do with your Smartphone today: email, Instant Messaging, Internet browsing, social networking such as Facebook, MySpace, Twitter and Flickr, taking pictures and video, Video calls such as FaceTime as well as document storage, contacts, etc. And of course, your phone may very well track you and collect information such as the serial number identifiers from your phone, your age, sex, contacts and GPS location data without your knowledge.
You will also notice that the application that helps you get to where you are going could also be storing critical information of where you have been. There have been rulings in both the U.S. and Canada that the search of your cell phone is valid, incident to a lawful arrest without a search warrant. I strongly disagree with these rulings based on our rights of privacy. A search warrant should always be required in my opinion. But the good news is, you don’t legally have to give up your password, at least not in Canada. This brings us full circle. How safe is the data on the device. Blackberry’s are the safest. iPhones are relatively easy to get into with the current set of forensics tools available. Your best bet for an iPhone and other device is to make sure the data on the device is encrypted. Also, when you are syncing your devices to your computer, make sure you turn on the feature to encrypt the backup. And for goodness sake, use something different than a four digit passcode that everyone else is using.
Marty Musters is the Director of Forensics for Computer Forensics Inc. www.computerforensics.ca He can be reached at email@example.com
Print this page