Data Security: Most Finders of Lost Smartphones Are Snoops

Operation Honey Stick uncovers what happens when smartphones go missing
Illustration by Alex Eben Meyer

I was sitting in the food court of the Great Mall in Milpitas, Calif.—Great Khan’s Mongolian BBQ to one side, Hot Dog on a Stick to the other—when the adrenaline hit. It was go time for Operation Honey Stick. Cris Paden, a public-relations man at security technology company Symantec, reached across one of the metal tables and passed me an Android smartphone. I placed it on the seat behind me, waited a couple of minutes, and then left—hoping someone would nick the device after our getaway.

That day in early February, we “lost” 10 smartphones as part of a multi-city clandestine project to see what happens when digital devices go missing. Symantec organized Operation Honey Stick, named after fake websites known as honeypots that investigators use to snare hackers. A total of 50 smartphones were distributed in Silicon Valley, Washington, D.C., New York, Los Angeles, and Ottawa. The devices, loaded with a buffet of juicy, fake data, were left in restaurants, elevators, convenience stores, and student unions. Symantec equipped them with monitoring software that let its security gurus track where the devices were taken once found, and what type of information was accessed by the finders.

Symantec executives admitted they hoped the project would have some shock value. Francis deSouza, Symantec group president of corporate products and services, contends that workers treat their employer-provided smartphones like consumer devices rather than corporate machines. He rattles off cases of stolen smartphones and data being sold on black markets, where bank account credentials can go for $900 and e-mail accounts for $20. “Beyond that, there’s a compliance risk for companies,” deSouza says. “People use these devices to do their work with corporate data, and we know criminals are targeting that information for profit.”

Symantec and other security companies have seized on the explosion of smartphones and tablets as an opportunity. They promote software that requires strong passwords to open certain apps, tools that block sensitive data from being pasted into e-mails, and services that can wipe data off a lost device from afar. Many smartphone owners don’t take even simple steps, like requiring a PIN to unlock a phone, because they’re “taking a home PC security model, where they don’t lock down the machines, and applying it to a smartphone,” says deSouza. “Frankly, you are not likely to lose your home PC at a Starbucks.”

It took about four hours for us to distribute our smartphones throughout Silicon Valley. Paden had lined up crowded spots with lots of foot traffic. We first did some reconnaissance at a Stop ’n Save convenience store, then hit a restaurant on the Stanford campus, the student union at San Jose State, and a San Jose taco shop. We skipped a high-end mall in Palo Alto because Paden figured the iPhone-toting, wealthy clientele would immediately turn in the lost phones. But the first lesson of Operation Honey Stick is that it’s much harder to lose a cell phone than you’d think. On a few occasions, we staked out a spot and planted the phone, only to have someone yell out, “Hey, buddy, you left your phone!”

The smartphones were set up to make it easy for people to return them. They did not require a PIN, and the only contact listed in the address book was “Me,” containing a number and e-mail address that reached Symantec’s researchers. One humanity-affirming finding from Operation Honey Stick is that, despite skewing the study so the phones were as easy to take as possible, half the smartphones were returned within a couple of weeks. One tortured soul sent the team the following e-mail: “I found your phone at the Santa Monica Pier last Thursday. I used it for like a week but now I feel bad and want to return it. I’m really sorry.”

The downside is that even the angels indulged the devils on their shoulders. About 90 percent of all finders rifled through the phone’s apps and files, including ones that seemed to contain highly sensitive information. The home screen of each phone included a file promising salary information, a Bank of America app, a Facebook app, and standard fare such as apps for photos, e-mail, and a calendar. More than 80 percent of people looked at the corporate data on the phone and about half took the bait to peek at the salary information and peruse the corporate e-mail account. Forty percent couldn’t resist looking at the banking information, while 60 percent jumped into the Facebook account. About half of the finders tried to use an app that would let them remotely log into a corporate network.

Someone started using the phone that began its journey at the Great Mall about five minutes after it was lost. The finder quickly went through the salary, banking, and Facebook information. The phone was later plugged into a computer, and the finder tried to tap into the corporate network. He or she then drove 150 miles on U.S. Highway 101, accessing Facebook 21 times over a 45-minute period and a folder containing passwords nine times. After about a day the phone shut down and disappeared.

The study “played out about how we suspected,” says deSouza. That confident statement masks anxiety about keeping smartphones safe. Security companies have spent years battling PC hackers with less than spectacular success. Now they’re trying to defend products with an exploding and confounding number of operating systems and apps. “We’re having to move very quickly to match the innovation happening in the mobile device world,” deSouza says. “It exceeds what we saw in the PC world.” Chew over that comforting thought during your next visit to Hot Dog on a Stick.

    Before it's here, it's on the Bloomberg Terminal.