Schneier on Security
A blog covering security and security technology.
« Law Enforcement Forensics Tools Against Smart Phones |
| The Battle for Internet Governance »
April 4, 2012
Lost Smart Phones and Human Nature
Symantec deliberately "lost" a bunch of smart phones with tracking software on them, just to see what would happen:
Some 43 percent of finders clicked on an app labeled "online banking." And 53 percent clicked on a filed named "HR salaries." A file named "saved passwords" was opened by 57 percent of finders. Social networking tools and personal e-mail were checked by 60 percent. And a folder labeled "private photos" tempted 72 percent.
Collectively, 89 percent of finders clicked on something they probably shouldn't have.
Meanwhile, only 50 percent of finders offered to return the gadgets, even though the owner's name was listed clearly within the contacts file.
Some might consider the 50 percent return rate a victory for humanity, but that wasn't really the point of Symantec's project. The firm wanted to see if -- even among what seem to be honest people -- the urge to peek into someone's personal data was just too strong to resist. It was.
EDITED TO ADD (4/13): Original study.
Posted on April 4, 2012 at 6:07 AM
• 48 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'd like to see the study repeated, but turning in "lost" smart phones to the police and then seeing how many departments forensically image/inspect them before attempting to return them.
I guess this shows most of us are "defectors" from social norms when we think we are not being watched...
That said however some of the "looking" might have been people trying to find details to contact the owner (then again maybe I like to think the best of people ;)
I'd return the smartphone, but I wouldn't resist trying to see the personal data first :)
And that's why I keep personal data to a minimum on my iPhone.
A sample size of 50 spread out "over the US and Canada" ... and they're looking at stats within specific cities?
Nice idea, but whomever designed this experiment needs a remedial stats class. And the reporters could use a refresher, too.
Yup when I saw "fifty phones" and odd percentages I thought "ugh ha somebody cann't count" ;-)
I wonder if Symantec has also heard that Smart phones are the new attack vector for high security air-gapped networks. Much more versatile than a USB stick and with built in RF back haul link.
Yeah, the assumption that people are doing something wrong when they're looking at personal data on a found phone is absurd. I once found a phone. I used the address book to figure out whom it belonged to.
I think this falls into the "Well, duh!" category.
Besides, how many people have files named "HR salaries" or "private photos" on their computers? This was entrapment.
I don't want to mention files called "password". :-)
Randy - dontlooknow
What if honest people are less likely to pick the phone even if they see one?
In addition to a better sample size, I think it's worth noting the mindset of honest people.
If an honest person happenned to spot a phone on a park bench they would likely think "Well that's not mine and the owner might come back, so I won't take it." (The "somebody else's problem" field is likely also in play.)
A dishonest person, however, is always on the lookout to take advantage. A phone on a bench isn't something to be ignored but what they are always on the lookout for.
So, even with a decent sample size, we can only draw conclusions about what would likely happen to one's data if a phone was lost, but nothing about how honest people are. A lost phone is more likely to fall into the hands of a dishonest person.
I'd like to see the study repeated, but turning in"lost" smart phones to the police and then seeing how many...
How about actually get returned to their owners...
About twenty years ago a BBC program decided to test the honesty of "lost property" people at various large organisations including those at railway and police stations.
The researchers handed in wallets with no contact details but things like personal photos so that other researchers in the team could prove ownership and reclaim them. Each wallet had some money in them.
I can not remember the exact details but nearly all institutions they tried including the police some or all the money went missing...
I gather since then some of these organisations now carry out their own "honesty tests".
Smart phones are the new attack vector for high security air-gapped networks
I've been aware of some of the obvious potential for this (ie people are daft enough to plug the USB lead in to recharge etc) but I've not been able to find specifics on other potential vectors.
I'd be curious to hear if some of the more interesting active attacks (Hijack etc) that were known about with old style mobiles thirty years ago are happening today.
The interesting part of this study is the line:
"No security software or features (e.g. passwords) were enabled on any of the devices, in
order to enable finders to initiate virtually any action without any complications."
I have a problem with a study like this. It's designed to heighten fear by building in threats that don't exist if basic due diligence is done. People are curious and will look through a billfold they find - this is no different. The researchers have intentionally piqued curiosity and removed any restrictions.
How's this for piquing curiosity: "...files such as “HR Cases” and “HR Salaries” were represented on home screens with icons that looked like recognizable document types such as the PDF format or popular business- or productivity-oriented file types." - would you look at these files? Obviously most folks...
In this statement they try to down play their suspect approach: "Regardless of the motivation of the person accessing the phone, the fact that they may be accessing sensitive data should be a major concern to the device’s owner, and possibly their employer."
If this study was about properly protected smart phones I would give it more credibility. As is, I see it as a deliberate attempt to raise fear in order to sell products.
Fear statement abound in the document. Here's one: "...such a confidentiality breach on a personal or corporate smartphone could result in major embarrassment, psychological stress or even extortion or discrimination, depending on the nature of information accessed."
By eliminating all barriers to the information, the study is worthless as a security report in my mind. All they are reporting on is basic human curiosity, and there are plenty of better studies out there on curiosity. This is a vendor inventing something for us to be fearful about.
I have to agree, I thought the article was pretty silly. Yes people can be pretty curious. So what? How many of these people would have tried to misuse the data? The one story of the bank password was cherry-picked.
Once I found a thumb drive on the ground. Like commenter Colin, I figured the best thing to do was leave it for the owner to find later, so I hung it prominently from a railing. When it was still there 24 hours later, I took it home. Yes, I looked in all the files, including one that may have included private information, but, like commenter Clive Robinson suggests, I was primarily trying to find who to contact. I was also trying to assess the value of the information to the owner so I’d know how much effort I should invest in returning it.
It’s really hard to know what to make of Symantec’s results. Oddly, they don’t report how many not only looked at the private information but tried to use it maliciously (e.g., try to transfer money using the on-line banking app and password file). Maybe no one did, at least, none of those who returned the phone.
"50 percent of finders offered to return the gadgets, even though the owner's name was listed clearly within the contacts file."
This appears to be a catch-22 situation for the finder.
Either be "nosey" or "dishonest".
I would look into social networking tools (or some other app mentioned in the article) to find out the phone owner. I would not expect to find that information in contacts. My phone does not have my own information in contacts file.
I would not see a major 'defect' in opening the "HR salaries" file. I would check that out of curiosity or to get the idea for the next salary negotiation. I would not considered that a huge invasion of privacy.
I would agree that honest people may not pick up the phone to begin with.
With that, maybe symmantec will just use this for marketing best practices (probably along with a product) to 1) use the security lock and 2) be more cognizant of what you have access to on your phone and 3) keep track of your phone.
There is way too much FUD over mobile security. I went through the Verizon DBIR and the Privacy Rights Clearinghouse database looking for smartphone breaches. In all of the 3854 incidents comprising 719M compromised records, there were only four breaches that involved a smartphone (2547 records). two were lost Blackberrys, one was unnamed, and one was a call center employee photographing screens with sensitive customer info.
That being said, there is a need for basic due diligence in security controls: device and application passwords, and corporate data encryption. Beyond that, and until this is a real threat, additional security controls are wasted money that should be spent on the real security risks. IMHO
The moral of this story seems to be as simple as "why the hell do you still not have a lock screen on your smartphone, dummy??"
So it takes an extra 3 seconds to open your phone. Read the article again till you change your mind.
"Clicked on something they shouldn't have"? Thats pretty subjective. Is Symantec the rule maker when it comes to should do/shouldn't do? If you find a wallet on the ground are you also not supposed so see how much cash is inside?
If I ever find a phone I'll prolly try to return it, but absolutely I'm going to see if there's any cool pictures/whatever on the phone
In some cases if you find a phone/purse/wallet, some minimal investigation is likely the right thing to do.
A few months ago I found a purse next to the curb in front of the (empty) house next door. There were a few possibilities- either it was abandoned by someone who obtained it illegally, or it was left by someone who was in the neighborhood and distracted as they were leaving. I did a minimal visual inspection and noticed a wallet and phone. I flipped open the wallet first, and it had a drivers license of someone who isn't a neighbor. So I checked the contacts list of the iPhone and scrolled through until I recognized the name of my neighbors across the street. I took it over there, and it turned out to belong to their nanny, who was out with the kids, but then got it back right away without having to search. Sure, I could have taken it to the police without checking, but that would have added a lot of inconvenience for everyone involved, and offered no advantage at all.
Did I poke through private information? Yes, though minimally (unfolded a wallet and flipped through a contact list) and with no intent to do anything other than identify the owner. The police probably would have poked through more than I did.
There is way too much FUD over mobile security
There is and there is not depending on your perspective.
Locking your phone could be looked at in the same way as shutting your windows (the ones on your home not your PC ;)
It used to be the case that people would go out of their home in warm weather and leave the windows open, they might not even close let alone lock their door (unless it had a snap lock on). It was not unknown for a neighbour to pop in and borrow a cup of sugar or flour etc rather than trudge off to the shop whilst in the middle of baking etc.
When I was a youngster even in quite densly populated urban areas it was still very common if not the norm. In fact I used to know of many people who used to leave money by an open window to pay either the milkman, window cleaner or coalman (yes I'm that old...) it was considered normal behaviour.
However in what many regard as the break down of society "helping yourself to other peoples property" has become more prevalent and if you live in urban areas around a large city you probably have not only the windows closed but have locks on them as well (partly because of insurance companies partly because of fear). But it is noticable in quite a few small villages etc "out in the sticks" or countryside in very rural areas that people still leave not only their windows but also their doors open not only during the day but quite often at night.
The average "urbanite" would be both supprised and shocked to see this rural behaviour (along with being jealous and wanting to live that life). Likewise those living that rural life would be horrified at "city life" and what the urbanite would consider normal behaviour.
Thus I suspect that in areas like NYC and other major business areas having phone security enabled is considered normal, not of necesity by personal choice but normal none the less. However in places like Orange County and other effectivly wealth segregated or "gated communities" I would suspect having phone security enabled would be looked on as a little wierd.
However as time changes and mobile phone theft rises (as it almost certainly will) peoples viewpoints will change.
@Lukas: "Yeah, the assumption that people are doing something wrong when they're looking at personal data on a found phone is absurd. I once found a phone. I used the address book to figure out whom it belonged to."
I don't think they considered the address book to be personal data. If you're viewing the "private photos" folder before checking the address book for a way to return the phone, I think you're doing something wrong...
Let's hope Symantec apply better scientific rigour to their software than they do to 'research'...
Since we have all these gurus hanging out here at Schneiers I wanted to ask a question...(this might be "dumb" so be forewarned)
Considering that the modern phones can be charged through the phones USB port. In the scenario that this question refers to, a set of "Android" phones are connected to wall outlets for charging at some large company.
The question is, how possible would it be to transmit a virus to all these "Android" phones by means of fluctuations in the powerline?
"The researchers have intentionally piqued curiosity and removed any restrictions."
Bingo. The study doesn't test honesty; it tests curiosity. It's throwing tuna in front of a cat. What makes cats different is what they do with the tuna, not whether they go up and smell it. The fundamental conceptual flaw in the study is that it assumes honest people aren't curious. In other words the assumption is a straw man that doesn't even pass the smell test, to continue the metaphor.
Now let me rant for a moment. This is the type of shit that pisses me off and frankly brings the computer science profession into disrepute.
Step 1. Get some random technology.
Step 2. Throw it at people in some random way.
Step 3. Analyze how people react to it.
Step 4. Hey everyone, we're psychologists!!!
No you're not. You're just retarded people who are drooling all over yourselves, everyone is laughing at you, and you're too stupid to know it.
@Daniel (a different one):
Perhaps its not "robust science" with large stats, but hey. Lets talk about the medical studies where N=13 or some stupidly low number like that. I can't count the number of reviews of peer-reviewed journals I've seen which say "the results are amazing, but the sample size is so abysmal we can't even pretend the results mean anything at all." But they get published!
Personally, I develop software for an in-house group. My entire userbase is smaller than their sample set. Yet I have to do psychology on my users (in fact, a subset of those users) because I have to do SOMETHING more than random guesswork.
@Clive Robinson -
I don't think the analogy of an unlocked house really applies. Anytime a corporation allows smart phones to carry their data the "doors and windows" should be locked. If they can't enforce basic security controls, they are asking for security breaches. My argument is that basic controls are good enough. The motivation of the 'attacker' that steals or finds your cell phone in almost certainly to wipe it and use it or sell it - not to attempt hacking it. The latest versions of iOS and Android security controls are pretty darn good. Layer on an MDM solution and you have security that will protect you from virtually all the attacks you are likely to encounter. As mobile device hacks evolve that can certainly change - as with ALL data security issues.
I remember finding a wallet (including some cash) on the sidewalk once recently. I had to go through everything in it in order to find some contact information for the owner. It might not be obvious what to do when finding a smart phone.
I once found the Blackberry of a junior partner in a NYC law firm. I know who he was because turning the phone off and on told me what number it was, and I did a search for that number. Other than that, I didn't look at anything else at all. He was most grateful that I was able to return it to him.
Likewise, I lost my wallet in NYC. Despite the driver's license having the wrong address, the finder was able to return it to my California address. In it was the $62 and my credit cards.
As written elsewhere herein, Most people are honest.
What is really annoying on Android is that the lock timer and screen timer are the same. For example if you want the screen to timeout after 30 seconds of inactivity then the lock is also turned on when the screen turns off.
You can't for example have the screen turn off after 30 seconds, but have the lock turn on after 5 minutes. The same value has to be used for both. Is it any wonder that people rarely have their Android phones lock? (There has been a Google bug ticket for this for many years - they have done nothing. Some vendors have implemented separate timeouts.)
I'd have looked in the HR file. It's very likely to have email addresses and other contact details, which is the start of a lever to get the thing back to its rightful owner.
"I've been aware of some of the obvious potential for this (ie people are daft enough to plug the USB lead in to recharge etc) but I've not been able to find specifics on other potential vectors."
Yea that's the way you do it. Drop a smart phone in the parking lot, best if it has the company logo or something official / identifiable on the startup "splash screen", make sure the battery is sized / discharged so that you cant actually get anything done before it shuts down. You then rely on people noticing that it's got a USB charge port, and concluding that I'll just plug it in to my computer USB port to charge it....
Everyone knows better than to plug in a dropped USB memory stick, BUT this is an important phone, I'd better get it back to someone and ...what network harm can a phone possibly do?
There are several variations on the idea, but all try to guide the finder towards plugging the phone into a USB port on the air-gapped side of the network
i cant give anymore details, on this attack.
OT: What is interesting is that the reduced battery life on many Apple and Samsung smart phones (only a few hours)
is resulting in many employees charging their personal smartphones at work. This by itself is a security nightmare, when USB ports are the preferred charge method. Now what is really worrying me is the additional fact that we getting lots of reports of sudden and complete loss of data stored on these quick-swappable smartphone Flash memories...think about it....
Would you really expect to find the owner in the contact list? Maybe relatives, but probably by name, so this won't help identify the owner.
I woud expect to find the owners employer in HR documents, I would expect to find the address of the owner in banking documents, I would expect to find the email address in the emails, ...
Is it really just curiosity to search there?
Like many others here, I classify myself as honest but also curious. I would probably look at the HR data just to satisfy my curiosity. But in the end that data is useless to me unless their IT guys make more than I do and I should perhaps send them a resume.
I might look at the passwords again more out of curiosity to see how good the owner's passwords are. I wouldn't use any of the logins.
I might be tempted to look at the banking app, but I would never even consider to abuse that data.
OT: What is interesting is that the reduced battery life on many Apple and Samsung smart phones (only a few hours) is resulting in many employees charging their personal smartphones at work. This by itself is a security nightmare, when USB ports are the preferred charge method.
It's not just phones... The first real evidence of this sort of wholesale attack via the supply chain was on Apple media players (this was a long time prior to the term "APT" surfacing). Loaded onto the media player prior to "shrink wrap and security seals" going on the purchase presentation pack, was a PC virus, Apple indicated it had been done by one of it's subcontractors, but the details at the time were a bit sketchy (ie the "who what and where" were not indicated).
And yes I know both Apple and Samsung use Chinese sub contractors for all their products as some part of the production process.
Likewise those manufactures of the memory cards they include with the phones, and you can bet (a years income against a pinch of salt) that those memory cards are not checked for malware before being put in the presentation box. Also as this is usually done at a sub contractor it's a not unreasonable bet that Apple and Samsung don't even know if the memory cards are the ones they purchased...
Now as Apple is popular with both Gov and Mil types as well as managment and psudo geeks their products get in all the "best places" for APT. Which is an issue not lost on the DOD, NSA et al, which might be a reason behind Apple setting up a new production facility in Texas and effectivly shortening the supply chain...
However getting back to memory cards, the fact is that you realy don't know what's in them...
At the very least we know they contain the uCard comms interface into an onboard CPU which mediates via various life extending algorithms to more flash memory than is printed on the packet, or accessible by the host device...
In actuall fact we know that some memory cards contain considerably more flash than the packet says simply because it's less expensive to make a single production line of large capacity devices and "hobble down" to fill other product lines than it is to have multiple production lines.
If you are of a curious / suspicious mind then the question might arises of 'With a CPU and spare memory that is hidden from view just what sort of nasties could be hidding in there, tucked out of sight behind the CPU'?
Now it's been a while since I looked in this area with a storage scope etc but it used to be the case that the signals on the comms interface were driven by software on the host device and as such varied slightly from device type to device type. Effectivly leaking information about the host device. Thus there is a reasonable chance the CPU in the memory card could "enumarate the host device" and know reasonably well what it's plugged into...
So to the curious / suspicious mind another question then arises of 'What capabilities does this give for covert action by the supplier of memory cards?'
Which brings me onto your last comment,
Now what is really worrying me is the additional fact that we getting lots of reports of sudden and complete loss of data stored on these quick-swappable smartphone Flash memories...think about it....
We know that the various memory card specs allow for not just selected deletion but "bulk deletion" of the whole device, the question then is 'Where does the command originate?', followed by 'Why?'.
As you and I have discussed before a suitably long binary string/number could be used as a trigger for hidden malware not just in software but hardware. The length of such a string effects the probability of it being discovered, the longer the less likely. But importantly to be usable the trigger string would have to fit within the alowable length and range of a comms protocol which would keep it relativly short.
The problem with most comms protocols is there is very rarely a uniform distribution across the range as many are designed for one reason or another to be human readable (it eases testing and compatability). So if you were looking to pick a "hidden trigger" string you might well pick one that was on the fringe of the distribution.
Now how might this go wrong... let's assume for arguments sake the hidden trigger is chosen to be in the file name. Most memory cards used for file storage use MS FAT for compatability reasons this allows for the 8.3 "printable character" file name with some characters reserved for extended file names. Thus not only is the length short, it's range is also restricted. But as the field is ment to be human readable it has a very biased distribution as humans don't as a rule use random file names as they convey no meaning.
But in most cases the lower levels of the file system tools will alow you to use the larger range of non printing characters as well. So the choice of trigger string might be chosen to be an improbable file name to reduce the chance of accidental triggering. Both the Apple and Android OS's are unix based and the unix file system unlike that of earlier MS OS's does not care if you use some control chars, so alowing a larger range across the entire file system tool range.
Now most of the Internet servers actually run on Unix for one reason or another and content managment systems especialy those that differentiate between desktop and mobile web browsers have some very odd file names that are effectivly generated automaticaly, because they are not ment for "human reading" just "link clicking". Thus having a much wider distribution they would have a higher probability of hitting a trigger word picked to be not human readable.
I'm by nomeans saying this is what has happened, but if you don't go through the thought process you won't see the possibilities that others have and might have chosen to use.
So the conclusion is "people access personal information about others," brought to us by a group that deliberately gathered (and published - see the map) personal information about those finding the phones.
I wouldn't look at their pictures because I hate when people insist on showing me their pictures on their phones. No one ever shows just one - once they've got you, it goes on and on. Yuck. Why on earth would I look at phone pictures when there's no one standing there demanding I agree that their is the most adorable kitty cat ever?
And what could possibly be of interest to me in their documents? I don't think I'm so much a virtuous person, as I am just not finding these lures even remotely tempting.
Maybe the ones who didn't look are like me and they just don't care. We'd probably all be snoopy and dishonest given the right lure.
The game Skyrim allows, among other things, the ability to pickpocket people. Peeking to see what people have in their pockets is free and without risk, but taking something might get you caught. I have "just looked" many more times than actually taken things, even when I didn't expect to find anything interesting.
The area between social acceptance and perceived harm is very interesting.
I find it somewhat disturbing when the subject of lost wallets comes up, how many people think the "right" thing to do is to return the wallet AFTER REMOVING THE CASH.
No, it's not.
I've found phones twice. I go into contacts, find the most likely looking prospect (in one case, "Dad") and call that number to arrange giving it back.
People know what's right. They just justify what's wrong.
"Would you really expect to find the owner in the contact list? Maybe relatives, but probably by name, so this won't help identify the owner."
You're likely to find a person's emergency contact listed under ICE (at least in the US). Or a family member with a surname in common with the owner, or a nearby contact of the owner, also listed by surname. My neighborhood is pretty small and I know the surnames of most of the neighbors, so a quick spin through the contact list of the one found on my street got it back to the owner, even though I didn't know the owner. Going through the "recent calls" was my second choice-- if there a lot of calls to a single person, you can call that person and have some confidence that they can get ahold of the phone owner. I've seen that work successfully in the middle of nowhere on a bike ride.
@Clive Robinson at April 4, 2012 10:56 AM
You can have it both ways here:
Customize the lock screen of your phone so that it displays the phone number of your Dad and/or your home, and/or your e-mail.
My takeaway from this article was that I needed to put a lock code on my phone. I had already made my teenagers do it to their phones to prevent tampering by friends, but hadn't done my own.
I created a lock screen wallpaper with a note: "If found, call XXX-XXX-XXX"
One security issue not mentioned in the article is that if the smartphone has email setup on it, then an attacker could possibly use the password reset function of many web sites to have a new password sent to the phone. If the site's login is the user's email address (which is already available on the phone) then the attacker could possibly gain access to a secure website just from finding a phone.
What amuses me is that people would snoop without taking the precaution of taking the SIM out first!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.