And now for a few words about securing PDAs

Not everyone needs a SME-PED (a secure mobile messaging device developed by the NSA).  But a lot of people carry Personal Digital Assistants (PDAs) or Personal Electronic Devices (PEDs).  For this post, I will call them Mobile Devices (MD).  These MDs include Blackberry, Windows Mobile, iPhone, and any other phone/device that lets you do email, SMS, MMS, pictures, or store any kind of data on it.

Imagine that you are out a restaurant.  You are having a nice meal.  You brought along your MD, because you never leave home without it.  You have it sitting on the table near you (or in your coat pocket or wherever).  You have it set up to synchronize your work email as well as your personal email.  You store your contacts (work and personal) on the device, and you also keep a couple of Notes on the device that have some password/PIN/account info in them.

You get up to use the restroom.  You leave your coat behind.  You return and finish your meal.  You leave the restaurant.  You get into your car and decide that you will check email before you head home.  You reach for your MD and realize that it isn’t there.  You run back into the restaurant and back to your table, but your MD is not there.  You ask the server and manager if they have seen one or if one has been turned in.  They have not.

Time to panic?  Maybe not.  Do you have the device set to time out after a certain amount of time?  Do you have a password or PIN set to unlock the device?  Do you have encryption technology on the device?  Do you have anti-virus software installed on the device?  If you can answer “Yes” to most or all of these questions, then you can rest easy, because you are out a few dollars for the device and some pain calling your carrier and having the phone/SIM killed.  Then you have to go out and get a new phone/plan and rebuild it.  Painful?  Yes, but not as bad as it could be.

Here is a true story (names/locations have been removed to protect the stupid).  I got a call several years ago from one of my users asking me to “kill his device”.  I asked him what had happened to it, and he told me that he had lost it.  When I hung up with him, I decided to call the phone number of the device.  I did, and the device was answered, but no one was there.  I sat on the line for 5 minutes or so, listening to background noise, and I soon realized that the device was near a cash register.  I started saying “Hello” over and over again.  I did this for about a minute, and finally, a confused woman picked up the phone and responded “Hello?”  We had a brief conversation.  I found out that she was a server at a restaurant down the road from where I was working at the time.  I asked her to set the device aside and told her that I would be down in a few minutes to pick it up.

I retrieved the device and brought it back to my office.  I noticed a couple of things:  There was no PIN/password protecting the device.  It had the user’s business email synchronized to it (up to the minute I was holding the phone).  It had the user’s contacts, calendar, and some notes.  One of the notes had his account login information for several business critical systems (including username, password, and account number).  I also found a note with some of his personal information in it.  Bad?  YES.  But this is not the worst thing that could have happened.

Can you imagine if someone else had found it?  And what if that person was a bad guy?  Fortunately for the user, I recovered it, and I proceeded to wipe the device and rebuild it.  I will let you all use your imagination to form a picture of what might have happened if a bad guy had found it.

Bottom line – protect your mobile device.  You need a PIN/password to unlock the device at the VERY least.  You should also have AV software if you do email, web, or texting on the device.  If you are storing personal or professional information that could be considered private, you should strongly consider getting encryption software for the device.  Protect yourself by protecting your data.  It only takes a second to unlock your device (if you remember your PIN/password).  But it may take you weeks or months to recover from the theft of your personal or professional information.

As always, please let me know if you have questions about this.  I will try my best to answer them or clarify what I was trying to say.


About Tim Smeltzer
I am a husband, father, and technologist. While I am very much interested in almost all technology, my current area of specialty is secure mobile messaging. You will find me blogging from time to time on mobile technology - what I think is cool, what I think is not cool, and how to do things. Please be nice if you leave me comments. I am really trying to help!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: