Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Symantec’s ‘Honey Stick’ Experiment Shows What Happens to Lost Smartphones

What Happens to Lost Smartphones?

“Honey Stick Project” Exposes Risk from Lost Smartphones

In order to get a look at what happens when a smartphone containing sensitive corporate information is lost, Symantec loaded 50 phones with tracking software and fake “sensitive” information, and then scattered the devices across multiple cities in North America.

What Happens to Lost Smartphones?

“Honey Stick Project” Exposes Risk from Lost Smartphones

In order to get a look at what happens when a smartphone containing sensitive corporate information is lost, Symantec loaded 50 phones with tracking software and fake “sensitive” information, and then scattered the devices across multiple cities in North America.

The test, called the Honey Stick Project, was designed to see what really happens when a smartphone is lost and collected by someone other than the owner.

Once the mobile devices were loaded with the simulated personal and corporate data, Symantec dropped the 50 fully-charged smartphones in five different cities: New York City; Washington D.C.; Los Angeles; San Francisco; and Ottawa, Canada. The devices were intentionally “lost” in different types of locations including elevators, malls, food courts, public transit stops and other heavily trafficked, publicly accessible locations.

With the remote monitoring software installed, it wasn’t long before the phones started to move. Tracking showed that 96-percent of the devices were accessed once found, and 70-percent of them were accessed for personal and business related applications and information. Less than half of the people who located the intentionally lost devices attempted to locate the owner. Interestingly enough, only two phones were left unaccounted for, the others were all found.

It seems like it’s hard to trust your fellow man these days, and that was exactly the point Symantec was looking for.

Going further, of the devices located, 45-percent of them reported that there was an attempt to read corporate email, and the remote admin application was accessed 49-percent of the time. A file named “saved passwords” was also one of the top selections, with a 57-percent access rate. Access to social networking accounts and personal email were each attempted on over 60 percent of the devices.

Additionally, 66 percent of the devices showed attempts to click through the login or password reset screens (where a login page was presented with username and password fields that were pre-filled, suggesting that the account could be accessed by simply clicking on the “login” button) .

In all, the average time spent accessing the “found” phones was just over 10 hours.

On Demand Webcast: Protecting Corporate Data in Mobile Apps

“The goal of this research is to show what smartphone users should expect to happen on their phones if they are lost and then found by a stranger. In today’s world, both consumers and corporations need to be concerned with protecting the sensitive information on mobile devices,” the report on the experiment explains.

“While devices can be replaced, the information stored and accessed on them is at risk unless users and businesses take precautions to protect it.”

While this type of public domain experiment is certainly interesting, Symantec reminds that projects like this are by no means perfect. “In particular, logging of the apps depends on the device having Internet access,” the summary notes. “Therefore, if a finder manipulates the device in a certain way, it is possible that no data will be recorded. This situation would result in an under-reporting of access frequency. Conversely, the most significant over-reporting error would be an individual who was aware of the intent of the study, and performed repeated accesses as a way to manipulate the results to be more significant than would normally happen.”

More information about the Honey Stick experiment is on Symantec’s blog. The full report (PDF) is available here.

On Demand Webcast: Protecting Corporate Data in Mobile Apps

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Chinese tech giant Huawei patched nearly 300 vulnerabilities in its HarmonyOS operating system in 2022.