“Honey Stick Project” Exposes Risk from Lost Smartphones

In order to get a look at what happens when a smartphone containing sensitive corporate information is lost, Symantec loaded 50 phones with tracking software and fake “sensitive” information, and then scattered the devices across multiple cities in North America.

The test, called the Honey Stick Project, was designed to see what really happens when a smartphone is lost and collected by someone other than the owner.

Once the mobile devices were loaded with the simulated personal and corporate data, Symantec dropped the 50 fully-charged smartphones in five different cities: New York City; Washington D.C.; Los Angeles; San Francisco; and Ottawa, Canada. The devices were intentionally “lost” in different types of locations including elevators, malls, food courts, public transit stops and other heavily trafficked, publicly accessible locations.

With the remote monitoring software installed, it wasn’t long before the phones started to move. Tracking showed that 96-percent of the devices were accessed once found, and 70-percent of them were accessed for personal and business related applications and information. Less than half of the people who located the intentionally lost devices attempted to locate the owner. Interestingly enough, only two phones were left unaccounted for, the others were all found.

Phones can be worth more than your wallet to people who buy and sell personal info on the black market , and that was exactly the point Symantec was looking for.

Going further, of the devices located, 45-percent of them reported that there was an attempt to read corporate email, and the remote admin application was accessed 49-percent of the time. A file named “saved passwords” was also one of the top selections, with a 57-percent access rate. Access to social networking accounts and personal email were each attempted on over 60 percent of the devices.

Additionally, 66 percent of the devices showed attempts to click through the login or password reset screens (where a login page was presented with username and password fields that were pre-filled, suggesting that the account could be accessed by simply clicking on the “login” button) .

In all, the average time spent accessing the “found” phones was just over 10 hours.

The goal of this research is to show what smartphone users should expect to happen on their phones if they are lost and then found by a stranger. In today’s world, both consumers and corporations need to be concerned with protecting the sensitive information on mobile devices, the report on the experiment explains.

While devices can be replaced, the information stored and accessed on them is at risk unless users and businesses take precautions to protect it.

We recommend you take some measures now to back up your data (which you should have done during World Backup Day) and  protect your phone remotely in the event that you lose it.  The graph below gives you some helpful app suggestions to outsmart info thieves. Be sure if you do lose your phone, to go through all your important passwords and change them. Lastly, if you think your phone has been lost or stolen, notify your phone company right away.

Screen Shot 2013-03-03 at 9.57.09 PM