StorefrontBacktalk

Mobile Security Achilles’ Heel: Employees Won’t Report A Lost Phone For A Very Long Time

Written by Frank Hayes

February 17th, 2011

Say you’re a retailer whose associates use iPhones or iPads in-store to help customers check inventory or check out. Now suppose a tablet goes missing. How long will employees wait before reporting that it’s gone? If it’s more than a few minutes, you have a problem.

Last Wednesday (Feb. 9), two German security researchers said they’ve developed a way to strip a stolen iPhone of most of the passwords stored on it in about six minutes—even if the phone is encrypted. That’s so fast that a phone or tablet could easily be stolen, stripped of data and returned before its owner even notices it’s missing.

Worse still, employees aren’t inclined to report a missing device instantly. That’s just human nature. They’ll probably go looking for it first—and if that search lasts as little as 10 or 15 minutes, the passwords and other security-related data on it could be long gone.

The security researchers, from Munich’s Fraunhofer Institute for Secure Information Technology, said they used widely available software tools and a Windows PC to jailbreak the stolen phone and then run a small script that collects encrypted passwords. But they don’t have to break any encryption themselves. “The decryption is done with the help of functions provided by the operating system itself,” they wrote. “An attacker would not need to know the user’s passcode, nor would he need to exploit new vulnerabilities to reveal these secrets.”

In other words, the data theft happens so quickly because it uses the iPhone’s own operating system to do the heavy lifting. From a passcode-protected and locked iPhone with no other vulnerabilities, they were able to extract passwords for company Wi-Fi and VPN, E-mail, voicemail and Google Mail, among others—all without visibly damaging the phone, and all in about six minutes.

Clearly, it’s time to rethink how you deal with lost equipment. By definition, smartphones and tablets aren’t nailed down, the way traditional point-of-sale equipment is (or should be). How hard is it for a thief to palm a mobile device while an employee is distracted, walk out the door and into a McDonald’s or Starbucks a few steps away, hack the mobile device in minutes and then slip back into the store and casually leave the device where it will be found?

By that time, the employee may have noticed the device is missing—or is it just misplaced? If it only takes six minutes to grab a group of potentially useful passwords, an employee can spend 15 minutes searching for the device in the time a thief can steal, hack and return a smartphone or tablet.

A few weeks ago, a colleague here at StorefrontBacktalk had a conversation with a very senior IT exec at one of the larger chains and the subject of mobile security came up. The exec was unconcerned because, as he said, “We remote wipe those phones the instant we learn of it.” No doubt that’s true. But the first thing thieves do when they steal an iPhone is to remove the SIM, so a remote wipe becomes impossible.

Besides, wiping a phone only works if you believe employees will alert IT the instant a mobile device turns up missing. That’s simply not the way people function.

You know that employees will search for a few minutes at least.

Posted in In-Store, IT Strategy/Industry, Mobile/Wireless/Contactless, Security/Fraud

Comments are closed.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.