How to Protect Your Mobile Device from Loss, Theft & Malware
February 27, 2007
Veteran security researcher explains what you can do to safeguard your cell phone, smartphone or PDA, as well as yourself.
Expect it to be a common occurrence; probably as common as the lost pair of sunglasses. As personal devices become more numerous in shape, size and functionality, they will become a part of us. And until that happens quite literally, we stand the chance at leaving a part of ourselves behind at the cafe, newsstand and while taking advantage of public transportation.
Quite possibly you will only lose your list of contacts, easily restored to a new device from your PC back at the office. Sometimes more confidential information will be lost, or even stolen, and it may remain unknown to you for quite some time if somebody will use their ill-gotten gains in a criminal manner. While the device is in your possession, what can you do to protect it, and yourself?
To start, device lock the unit with a very strong master password. This is the highest level tamper protection for the unit itself, and all personal devices have this or a similar ability. If your device doesn't, reconsider its worth.
Keep in mind, however, that it is only a matter of time before somebody determined enough to view the contents of your device will brute force crack the password. But protecting it with a password that is difficult to guess could provide the time you need to remotely disable the device.
"Secure" encryption methods provide even greater security, but have also been shown to have a limited usable lifetime. With that said, personal files on personal devices can and should be encrypted. Following the theory that an encrypted file becomes less valuable over time; you protect critical personal data from potential attack for long enough until it worthless. An example of this is protecting credit card and account information long enough for you to find a phone and cancel the account.
Net-net: Expect to lose your PDA at some point. To protect against the effects of the loss, use the master password protection of the device, as well as password protection mechanisms used in other mobile applications, to your greatest advantage. Along the same line of thinking, use file encryption.
What else you can do to actively protect your device
1. Disable Bluetooth discovery mode.
2. Disable unused services (SMS, HTTP, J2ME)
3. Don't accept unsolicited file transfers from other devices via Bluetooth, SMS, etc.
4. When online, use the same "best practice" precautions as you would while on your PC's browser. This applies to your use of the Internet (browser, IM, etc.), and of reading e-Mail.
5. Be wary of what you do in public. For example, accessing bank accounts and transferring funds from one account to another. Open public spaces actually afford more of an opportunity for malicious people to eavesdrop than do small internet cafe settings. Along the same lines, be careful of what buttons you press (you are simply generating a tone that could be recorded and played back) while in quiet spaces. It is better to work from places that have a higher level of ambient noise.
6. Find a phone with the service option to remotely kill it when it is irretrievably lost.
7.If retrieving is the only option, help along the process by servicing it with GPS software. Many cellular providers offer this service. As long as your phone is in operation, you should be able to get a rough location of it.
8. If you have a habit of losing things, rent! Because they are only temporary, rented devices tend to carry less data.
9. Remember to remove any memory cards before returning a rented unit!
10. Be sure to clean the device as per the device manufacturer's recommendations (or rental company) before returning a rental unit. The same holds true when disposing of the device. When disposing, you also have the option to physically destroy the memory chip(s).
11. To protect against monetary loss of the unit itself, consider insuring your device, but be aware that not all providers offer additional insurance on the device they sell. For example, you will receive a manufacturer's warranty on the $400.00 Palm Treo you just bought, but should not be surprised when your cellular service can't insure it against damage or loss.
Shane Coursen, Senior Technology Consultant at Kaspersky Lab, has held lead virus researcher positions with all of the major anti-virus players through the past five years, holding senior-level virus research positions since 1996. He has published industry-related articles and presented at a number of national and international anti-virus conferences.
Story courtesy of PDA Street