Lost and Found

Losing your laptop or phone is one of the most devastating things that can happen. Not only is there a loss of whatever data wasn’t backed up, a loss of business continuity as you find and re-build a replacement, but there’s also the potential of loss of critical data. This is actually one area the phone is substantially better – you can carry it with you everywhere. Like I discussed before, you’re far more likely to bring your phone with you to the bathroom than act like a nut-job and bring your laptop. It’s just a fact. Even if you’re extremely good about keeping your laptop bag with you at all times, it’s just far more likely that you’ll be separated from it than from a smart phone.

But I’d be remiss in saying that a smart phone is a perfect solution. It too can and does get separated from your hands. You go through an airport, it’s out of your hands. You want to show someone a video? There it is, in someone’s hands, unlocked. I have even been told I can’t bring my cell phones into a meeting – so there it sits in some basket outside of my direct line of sight. Let’s ignore the threat of malware for this post, because that’s a different threat vector in a number of ways.

So what do you do when your cell phone is stolen to prevent bad things from happening beyond the immediate loss of the hardware? There are some pre-emptive steps you can take and some things you’ll have to do after the fact:

Let’s start with the pre-emptive steps:

  • Keeping your phone locked with a password is the first line of defense. If you can limit it to a number of failures before being wiped that further increases your safety. If your phone is locked, the data within should be safe barring any other vulnerabilities in the phone. I really recommend a relatively short timeout (E.g. Less than 5 minutes) before the screen locks, but not so short (Eg. Less than two minutes) that you have to type your password/passphrase often in public, as that creates more likely opportunities for shoulder surfing the password/passphrase.
  • Disable Wifi on the phone when out in public. You don’t want the phone connecting to a random Wifi and being man in the middled so that content it sends over the wire is visible. Apple has made a lot of progress here by requiring that apps communicate over HTTPS, but that’s still not 100% rolled out, given that there are many apps that have circumvented this rule.
  • Disable any notifications so they aren’t readable on the locked screen so that information isn’t leaked to whomever has the phone ahead of time. This often requires a lot of configuration of each app’s notifications.
  • Use a long passcode/passphrase instead of the short 4 digit pins or equivalent, so that brute force is significantly more difficult. I know it’s annoying, especially when you’re in a hurry, but it does provide a significant barrier to someone breaking into the phone once it’s outside of your control.

After the fact:

  • Use any/all services you have to locate the phone. Maybe your friend picked it up for you at the bar. You can attempt to call it as well. At this point it’s probably gone and you can move onto the following. On trick is to allow one of your close friends to always have access to your phone’s location. That’s a lot of trust though, and understandably comes with its own risks.
  • Remote wipe the device if you can.
  • Immediately change all passwords to all of the services you use, and ideally lock that phone out from any APIs it is authorized to once the phone is deemed lost.
  • Disable VPN accounts, and any SSH keys you use. As an aside I don’t recommend SSH keys as the only line of defense for exactly this reason – if the machine is compromised they have instant access to the remote server. I prefer SSH keys be used to jump to bastion hosts or VPN tunnels, but then passwords be used from that point on, so that even if an attacker does get access to the bastion host, they can’t pivot into the other machines because they lack the password. Passwords are easy to brute force though, so that’s why you use them only after a key is required. It’s a bit like second factor auth in a way.
  • Assume email has been compromised, shut down the accounts immediately. This is one of the most critical steps, because email typically has a lot of passwords, and PII in it. And worse yet, most of the services you use require an email for password reset. Once they have access to email they have access to everything. This means every password needs to be changed that exists in your email, and anywhere you use that password should also be changed.
  • Assume that all apps that have access to your credit cards have been compromised – think things like Uber, and Amazon. Unfortunately this means you need to cancel your credit card immediately.
  • Assume all chat clients that you have logged into have been compromised. iMessage, SMS, Facebook, Instagram, Snapchat, Signal, Twitter, Yahoo!, MSN, IRC, Slack, Hipchat, WeChat, Skype, etc… etc… Only chat clients with ephemeral OTR are reasonably safe because they auto-delete content over time, but even still, the adversary can read recent messages and contact your contacts as you, so you’ll need to disable the account/change passwords, etc if that’s possible.

The nice part though, is that while all that stuff sounds bad, if you follow the very first step, you may have no issues at all to worry about other than replacing the device. So in many ways the primary defense really is the best one – a good password and keeping it locked when it’s out of your sight.