Ask Alicia About Device Security

Our Devices Are A Risk

by Derek Fisher

Today we hold more power in our pocket than the computing power that took humankind to space decades ago. With this power comes a lot of opportunity to participate in a wide digital world. From apps, to games, to social media, to messaging, we generate a lot of data on our devices. This data can be personal information that we would rather not have in the hands of others. Consider the thought of losing your cell phone or tablet and having someone else pick it up and use it. What could they do with your information? Would you be concerned? Many of us would say that we have nothing to hide and wouldn’t be worried about access to our devices by certain people. But at the same time, many of us would not like to have our phone or tablet in the hands of someone we don’t know. The messages, email, and online activity might be benign but it’s still personal.

So how should we protect our devices and the data on it? It’s not possible to discuss every possible device and how to secure it, so I will focus on the higher level concerns and defenses. In the security field, our goal is providing the best security and privacy to reduce risk and yet maintain usability. We handle that by layering security at different points to frustrate a malicious actor. In other words, defense in depth. The first level of that defense is on the physical level. In other words, securing the actual device. Whether it’s a phone, tablet, or laptop; any device that is mobile is first and foremost more likely to be misplaced, lost, or stolen because it is easy to do. Taking the example of a cell phone; think of how many times you left it on a table and walked away, or set it down somewhere in your house and then spent the next half hour looking for it. Your tablet or laptop are a larger, but these devices are commonly stolen from vehicles, bags, or tables and desks when the owner is out of eyesight.

Protecting these devices means that we have to first think about what someone would have to do to access the data once they pick it up. Having something as simple as a screen lock using a pattern will stop most bad actors and at least slow down a determined one. However, using a screen lock will delay your own access to the device, but it’s usually an acceptable delay when you look at the minimum security it provides. This comes back to the concept of providing some level of security in exchange for usability. You won’t get ultimate security, but it’s a small price to pay for some security. It’s important to keep in mind that many people can see your screen lock pattern over your shoulder or from across a table. Many devices including phones, tablets, and laptops give you the option to go a bit further with a screen lock that uses a password or pin number. This is usually more secure since you can make it more complex and therefore more difficult for someone to be able to see and remember. However, it’s clear that this will add additional time for you to unlock your device, and also can be more frustrating when you mistype and have to start over.

Newer devices are coming out with biometric checks like facial recognition, fingerprint, or a retinal scan. This further increases the security, but for anyone that has used these features know they are not always very accurate. Cold or gloved fingers makes it difficult to use fingerprints, facial recognition doesn’t always work. They’ve come a long way however, and will continue to improve over time and they still remain one of the most secure methods of unlocking a device. More importantly, they offer perhaps the best tradeoff between security and ease of use.

Let’s assume you lost the battle against physical access, and someone was able to get a hold of your device. Depending on the device and who the attacker is makes a huge difference on what can be done with it. Savvy attackers may be able to bypass your screen lock either through a vulnerability in the device or by hooking the device up to another device that allows them to view the data. In this case, your next level of defense would be encrypting the device and the data on it therefore making it unusable for anyone that doesn’t have the means to decrypt it. Most devices, whether a cell phone, tablet, or laptop allows you to encrypt the device itself so that the data on it is protected from unauthorized access. Additionally, if an attacker has access to your device, it’s important to think about access to your apps, files, and data. You may use pin codes, passwords, biometrics, or multi-factor authentication to protect your most sensitive apps and accounts on your device like your banking, or social media apps. This means that an attacker would need additional information or steps in order to access those apps.

Lastly, there are a lot of different apps that you can use to help protect and monitor devices. Some simply allow you to monitor the location of the device, others may allow you to remotely lock or wipe the device if you lose it. Although these are worthwhile to consider, it means that you usually need to keep your location and network on and available even when you don’t need it. This in-and-of-itself poses risks during normal usage. However, as outlined above, you need to consider what your security goals are when choosing a direction. These goals may change, for instance, if you are looking to monitor your childs activity on their device. You will want to look at applications that allow you to see all applications being installed, monitoring messages and contacts, and overall usage of the device. This can be very tricky, especially for parents of savvy children who find creative ways to circumventing monitoring applications. Within your household, you may be able to use tools that help you monitor the network and provide parental controls.

We can’t address every possible way to protect our devices, however the fundamentals continue to be about understanding what your risk is, what you feel comfortable giving up in terms of convenience, and what you can do to provide some level of security that fits your security goals. Our devices are with us all the time, whether they are in our pocket, on our laps, or in our bag. Knowing that these devices pose a risk to our personal data and more importantly knowing how to secure them is the first step in ensuring security of that personal data.