How to Unlock a Protected Smartphone

11/5/2009

During our IT examinations we note that most, if not all, members of management have smartphones. Of course these phones are secured. Encryption has been enabled and settings have been configured to ‘wipe’ the phone after a bad password has been entered into the device after a number of attempts. I should be secure, right?

Most smartphones have a background screen display when locked. A significant number of business phones we examine have the person’s name, business address and both cell and business phone numbers on the screen. I think that people do this so that somebody will call the number listed on the screensaver to inform the unfortunate person that they have found their phone. However, if a Good Samaritan called the cell number or just hit a key on the phone, the cell phone would unlock if not properly configured. More often than not, most of the phones we test are not password protected! We have noted that the person’s cell phone number as listed on the screen saver will unlock the device (secret PIN). We have noted that certain bank's have policies that require passwords to be set to the cell phone number. We have also used the services of Spoofcard.com to mimic the cell number, call the office from that cell phone and get the device unlocked.

Anonymity is what we are seeking when we lose our smartphones. Protect your data and ensure that smartphone screensavers do not reveal your identity. It is also important to ensure that your policies are functional and do not put your Organization at risk. Remember, the old adage – ‘do not talk to strangers’ is as true today as it was twenty years ago. Ensure that your screensavers and smartphones are smartly secured and do not divulge sensitive data.