Content

Where’s My iPhone? – A Lesson In Incident Response

Share

Introduction

Security incidents come in many forms, from attackers breaking into computers, unauthorized attempts to sniff wireless networks and collect information, and stolen laptops or phones. This example is the latter, a stolen smartphone. What follows is the incident response procedure that I followed once I found out my phone had been stolen. Its not a comfortable feeling to know that someone else has control over a device containing your information. However, you must remain calm and follow some sort of incident response procedure. Sometimes this is not as easy as it sounds (as you will see below). Once the incident is over the most important thing you must do is learn from it. Hopefully you can learn from my experience.

Some Days Are Better Than Others

This all started with one of the things I enjoy most in this world, and thats sushi (In fact Josh just pointed out that I was the one who introduced him to sushi, and now he has an entire site named after this fabulous food!). I was going out to eat with my family and was talking on my iPhone on the way. I pulled into a spot in the parking lot, got out of the car and went into the restaurant where I draped my long trenchcoat over the chair on the table behind me. After feasting on some sushi (“slammin’ salmon” roll was awesome) we paid the bill and I all of a sudden realized I did not have my phone. I searched my pockets, no iPhone. I thought, “well, I must have left it in my coat”. I searched my coat, no iPhone. I searched around the table and the table behind us where my coat had been, no iPhone. I then thought, “well, it must be in the car”. I searched the car, making everyone get out all while I cursed aloud, and no iPhone. I went back into the restaurant and searched the tables again, no iPhone. The conclusion, someone had stolen my iPhone when I either dropped it getting our of the car or when it fell out of my coat pocket.

Incident Response 101: Don’t Panic

So I called my wife in a panic, explaining to her how someone else now has possession of my phone, which not only contained countless pictures of our last vacation and family (mostly pictures of the dog), but also had access to ALL of my email accounts. I was on my way to a family members house to get a flashlight to do a more thorough search of the car, as I was still in disbelief that someone stole my phone. Human instinct is a funny thing, even though I have training in computer incident response (even worked a few cases of data theft) I was still in great disbelief that someone would actually steal my phone. Another search through the car, guess what no iPhone. My only saving grace was that I left my home phone number with the restaurant in case the phone magically appeared. On my way home I still thought there would be a chance that they found my phone and called the house to tell me. I got home, no phone call and still no iPhone.

When you can’t prevent or detect, react

I picked up my wife’s phone as soon as I got home and dialed 611, the number for direct access to AT&T customer service. I waded my way through the options and discovered that I could report the other phone line, and associated phone, lost or stolen right through the menu, after of course being prompted for the billing zip code. Thats right, the only authentication you need to cancel the other line is the billing zip code. This means you can use anyone’s AT&T phone to disconnect the other line on that account, and all you need is access to that phone and the billing zip code (most people put their address on the phone in case its lost, how ironic). If you are a smart phone thief, you can disable the other line when you steal a phone.
My iPhone had access to all of my email via passwords stored on the phone itself. My first step was to change all of my email passwords immediately. Once that was done I also changed the pin number to my voicemail. There was nothing sensitive in my email lately (i.e. a password emailed from a credit card or bank account), but I wanted to be certain that no one used the phone to check my email. I checked the email logs on one of the email servers I controlled and it showed that no one had used it to access my email. I started feeling a little better. Calls to the phone were going directly to voicemail while the phone was missing, and my guess is that the thief turned the phone off and removed the SIM card, or the battery died. In either case I wanted to be certain there we no calls made from the phone, so we activated our account online with AT&T and checked the call logs, which showed calls to my voicemail (which was normal as my voicemail forwards to YouMail, which is a great service). Now I feel slightly better, and my wife, as always, puts things in perspective and points out that it was not my car or laptop that was stolen, and that no one was hurt (however, the thought of having the opportunity to defend my iPhone appealed to me, if ever so briefly).
I did call the police, who weren’t much help and told me that I need to go back to the scene of the crime or come to the station to file a report. Since the damage was done, I did not follow through with a police report. However, had I not been in such disbelief, I would have most likely called the police on the spot.

Lessons Learned

I try to look at all incidents, especially ones that have financial impact, as a learning experience. What could I have done better? Also, what can I do better/different in the future to have a positive impact on the outcome? Below is a list that I hope we can all learn from:


  • Make it easy to change passwords and access your account – Have instructions on how/where you change your email/voicemail passwords so you can do it quickly. Also, have your online account setup and easy to access so you can check your statement and/or de-activate accounts online. This could be as easy as keeping a list of local bookmarks in your browser or in a text file.
  • Report your phone stolen immediately – There were reports online about stolen phones being used to rack up $20,000+ worth of charges. Its hard to overcome the disbelief that your phone has been stolen, however better safe than sorry. It is best to report your phone stolen ASAP.

  • Get insurance – Apple Care protection extends your warranty (Which I had), and is not insurance. Supposedly Apple offers some kind of insurance (according to the AT&T representative), but I am unable to find more information. Also, you may want to follow up with your home insurance provider to see if its covered ($400 may slide under your deductible though).

  • Use a keypad/passcode lock – I did not set the passcode on the iPhone. I know, I know…silly me. However, this passcode is easily bypassed thanks to a vulnerability described here. This has to do with the “Emergency Call” feature in the iPhone, which could be used to not only make a call even though the phone is locked (which is still the case in the latest firmware) but launch applications as well. The only other method available to get around the passcode is to restore the iPhone, which would wipe all the data off of it, but still give an attacker access to your cell service if it has not already been de-activated.

  • Don’t store your email passwords on your phone – This is a hard one. On the one hand we tell everyone to use good, if not great, passwords. But, imagine trying to enter a 12 character passwords, mixing upper/lower case, letters, numbers, and symbols on your iPhone? To quote someone from the #Security Weekly IRC chat room, “Ugh.”. If you do store passwords on your phone, make sure they are not used anywhere else.

  • Use security software on your phone – This is an interesting dilema, if you hack your iPhone it most likely prevents you from applying security updates from Apple (which fix things such as the passcode bypass). These updates will break all of the modifications made to your iPhone, including the hack to change providers. However, hacking your iPhone allows you to install 3rd party applications, such as iphonelockbox, which lets you encrypt your passwords and other information on your iPhone. Apple is supposed to make available the ability to install 3rd party applications on your iPhone sometime in February 2008, so this may be a wait and see situation.

  • Smart phone, careless user – I can’t live without my phone. Aside from providing the ability to send and receive phone calls, I use my phone to store contact information, check my email, send/receive text messages, take pictures, listen to music, watch TV shows/Movies, and browse the web. I should have been more careful, just as with your laptop, never let your phone out of your sight. Always be mindful of where your phone is at all times. For me, I may chain it to my belt from now on!

Conclusion

I hope that you read the above and learned something about how to protect your information. I hope that you use this information to make changes to your security strategy, whether it be protecting your personal information, or your organization’s secrets.

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.