Category Archives: security

lost iPhones (and other iDevices)

So a recent issue at work caused us to check out the ‘oh crap I lost my phone’ features that iCloud gives us, and the functionality is pretty cool. This feature applies to any Apple device on which you’ve configured the ‘Find My . . .’ service. On Mac OS X this can be found in the System Preferences under iCloud, while on the iPhone or iPad it is the settings app, also under iCloud. Just enable the Find My iPad or Find my iPhone toggle.

Once this is configured you can go to iCloud.com, log in, and see where your devices are. iCloud will show you a nice big, green dot on a map to show where the device is, but that is not all.

From here you can have your device play a sound, which is the same annoying ring for each device, although it’s worth noting that for a MacBook the ring will not sound if the lid is closed and the machine is suspended. As a matter of fact, little will work, although the iCloud interface can alert you when the device is found. This will create a popup prompt on all your other devices when your missing devices is back online and able to report its location. When the device is ‘found’ you’ll also receive an email stating the location where it was found and the time.

In the case of the ‘play a sound’ feature, by the way, iCloud will also shoot you an email saying that it played a sound on the device.

What may be even handier in the event of a lost device is your ability to lock the device remotely for laptops, or even enter ‘Lost Mode’ for iPhones and iPads. In this mode the lock screen on the device will display a phone number (which you tell iCloud) and a brief message. This message stays in place until the device is unlocked.

Finally, iCloud has the ability to erase any of these devices remotely. This process seems kind of scary, but clicking on the ‘Erase iPhone’ button kicks of a series of confirmation steps which require you to enter your iCloud account password, and then a phone number and brief message that will be displayed once the erase is complete. It gets to work immediately, by the way. For an iPod Touch it took less than five seconds to start, and perhaps three minutes to complete.

So now you know what your options are with your iDevices. The cynical side of all of us can assume that each of these features is likely to make your movements (and perhaps your data) accessible to the NSA, but if you’re not a tinfoil hat wearer I think you should take comfort in having this many options in the event you lost one of your devices.

iCloud screenshot

Mobile device security policies

I recently ran into a situation at work where a colleague of mine was traveling overseas and lost her iPhone. After the initial ‘oh crap what would I have done?’ reaction to this scenario I got thinking about the implications of mobile devices and information security. This doesn’t require a very high level of training in IT security to think through. Someone who has your phone in hand probably has access to:

  • Your contact information and the contact information of everyone you call or text
  • Your photos and personal experiences
  • Some browsing history
  • Your music
  • Your ability to purchase things through either the iTunes store or Google Play
  • Saved credential -based access to<
  • websites you frequent from your phone

How much of this would you be willing to give away?

Many people scoff at this loss since they have already wisely configured a passcode to prevent unauthorized use of their phone. This is great for keeping your nephew away from Angry Birds, but several methods exist for bypassing passcodes, depending on your model and operating system version. Dedicated phone intruders could skip these junior high approaches, however, and jump right in with tools designed for digital forensics like enCase or Sleuthkit.

By the way, if you think in terms of a hardcore attack of your iPhone data, keep in mind the possibility of someone attacking your iTunes backup of your phone, stored on the local disk of your computer. Even if you chose to encrypt that backup, it’s subject to brute force attacks. And it contains pretty much every single thing your phone holds. I happened to find someone’s paper on attacking mobile device backups and mobile devices themselves pretty easily on the web. Check it out at SMU.

193px-Cell_phone_Sagem_my202X_ubt_vectorized.svg

Protecting a mobile device once it has been left behind in a taxi is pretty tough, so how should we protect ourselves in advance of this? Obviously using a passcode and encrypting things where we can is the bare minimum, but a broad mobile device policy seems to be the smart thing. This policy ought to include the following components:

To whom does the policy apply and under what criteria? (Are iPads included? Surface tablets?)
How is the mobile device provisioned under the policy? (Are technical policies pushed from a central resource? Is the device documented in inventory?)
What are acceptable uses of the device?
Under what conditions will the device be excluded from the policy?
What actions need to be taken in the event of a lost device?
What actions need to be taken when the device is de-commissioned?

The SANS Reading Room is one of my favorite places to go for academic discussions of stuff like this, and I was able to quickly find a paper there on the subject of mobile device policies in corporate environments. This is a very practical discussion of all the moving parts of such a policy, and does a great job of outlining the vocabulary and the process of getting something of this rolling. Nice work, Nicholas.