My idea behind smartphone passwords!

So, this month I fell into several cases of stolen devices, of friends and co-workers of mine. As most of you know, nowadays there are available services, in the two most popular ecosystems (Android and iOS), that helps us track, lock and erase our device remotely, if we become victims of theft. These services are iCloud and Android Device Manager. But the problem with these services, comes when the smartphone is restored in factory settings. Of course, when the victim of theft, remotely locks a device, the thief has no way into the devices settings. Or has?

Lets think of it a little bit. For a device to be useful, there must be some safety valves. For example, if your device becomes soft bricked (or useless anyway) we have to find a way to get access and restore our device with the factory settings. This can be achieved, with the Recovery mode on Android and DFU mode on iOS devices, and in most of the cases with a button pattern that allows us to get into this modes, erase everything in the ROM memory of the device, and re “install” the OS. With the freshly installed device, there is no way for the victim to track the device again, without the intervention of police forces.

Now thinking like someone that just found a lost device in the pavement, or stole it, the first thing that we are going to do is check if there is any kind of protection in it. If the device has no protection the odds of the thief-founder to use the device, without any intervention in the OS are really high. Otherwise, if the device has any kind of protection, the thief-founder will proceed into ways of erasing the phone and using it, with no chance for us(that we lost our device) to track it.

Finalizing, my opinion is that we rather use passwords in specific applications, that we have sensitive personnel data (like gallery applications, messaging and social networking), and leave the device without screen protection. In this way, we increase the possibility of tracking our stolen-lost device, because erasing the device will not be the main purpose of the founder-thief.

You wouldn’t have to hide it, if it wasn’t something wrong!

I would like to hear your opinion on this topic, and discuss it, by comments, email or any other communication way you want! Thank you for supporting me 🙂

Cr0wTom

Advertisements

6 thoughts on “My idea behind smartphone passwords!”

  1. If my device is not secured, the files could be tampered with, software could be installed without my knowledge and encrypted files could be cracked by brute force.

    So you’re basically saying that leaving my devices vulnerable to an attacker, with a possibility of file compromise, is better than losing a device, but keeping data integrity?

    1. By the time that someone will have brute forced your files(which is extremely difficult with the current hardware capabilities), you will have find him. As you read I said that I suggest encrypting your files and application, because the founder will not get in the operation of erasing it as fast as he would go in the occasion of a locked one.

      1. So even if I get my device back. Let’s just for the sake of the discussion imagine that I am able to retrieve my device from the thief by help of the authorities. What certainty do I have that my device and/or my information has been tampered with? My only option to ensure that my device is still secure is to do a factory reset, therefore losing all my data. I’m back where we were before – either I lose my device and talk to my ensurance company, or I possibly lose data integrity.

  2. This post of yours conveys a terrible idea.

    First of all, do you know how much sensitive information is stored on the phones of most people, especially information that you might not think of? For example, even if I manually encrypt my files, what is stopping an attacker to drive to my house and automatically connect to my private WiFi network and retrieve files from my network. There are a lot of unintended consequences when an attacker has full access to your phone.

    Also, you hold too much faith in law enforcement to actually recover your phone when it is stolen. Even if they were going to try this, it is trivial for an attacker to stop them simply by enabling airplane mode for a while.

    Next, do you think you can find applications for every task you execute on your smartphone that are password protected and actually store your data in a safe way. As part of my job, I regularly investigate the security of mobile applications. More often then not, even the secure applications leak at least some data.

    Finally, loosing a 50-800 dollar device sucks. But even so, protecting your private information in almost all cases outweights the cost of your device that you have a very slim larger chance of recovering using your technique.

    The quote at the end: “You wouldn’t have to hide it, if it wasn’t something wrong!” is so wrong in itself. But I wont start an argument about that here.

    I am sorry if I am coming across salty, but I believe that advice like this is harmful. I would like to hear your opinion about this.

    1. Hello Ben,

      First of all it is only an idea, not a way and I am here to hear more opinions about this. Also, thank you for the time you spent in answering. 🙂

      Now, the whole idea is based on the tracking services of Android and iOS and not law enforcement. You misunderstood. All I say is that if the potential thief, found a device open and without a password, you have more chances that he or she starts to use it (and will not make any move to erase it), and in your side (victim) you will be able to track him with iCloud or the Android equivalent. The key in this is that in the time you lost your device you have to make fast moves and if you see that you cannot retrieve it, there is always the option of instantly locking and erasing your device remotely from these services.

      Also, as I said to the previous comment, (about the bruteforce) what are the chances of coming to your home, connect to your wifi and retrieve files with the current safety measures? If you are so cautious about security and you thing you need a password on your device, I think that you have installed the latest update of your operating system, browser, firewall etc, so you do not have any problem about the possibility of connecting in your network(except if the thief is a genious, and has 0day exploits of your systems – nearly 0 chances).

      Nevertheless, I am not saying that It is totally correct but I think that I have answered in most of your questions. I am waiting for your reply and I will be happy to discuss it further. 🙂

      Regards,
      Cr0wTom

      1. So, letting someone who stole my device into my network is no concern, either? That’s like inviting people to snoop around in your network share, monitor your traffic, or download tons of compromising material. Any unknown user in your network is a potential threat, and if you don’t see any risk there, you are way more bl8nd than I expected.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s