Industry divided as Met Police recommends smartphone PINs

News by Steve Gold

After two years of quietly lobbying mobile phone manufacturers such as Apple and Samsung, the Metropolitan Police have gone public with its request for all mobile phone vendors to implement PIN protection as a default setting on a handset.

The idea comes from the Met's NMPCU - National Mobile Phone Crime Unit - which was set up in 2003 to counter the problem of mobile phone theft, which even in the era before smartphones, was becoming an expensive problem for companies and end users alike.

According to the NMPCU, around 60 percent of mobiles do not have a PIN set, meaning that if the smartphone is stolen, criminals can make usually steal all the data on the handset, as well make calls at the legitimate user's expense.

Because of this, the police agency wants to make a PIN setting for cellular handsets the norm, with users required to `opt out' if they want to use the mobile without a PIN.

Nigel Stanley, cyber security practice director for OpenSky UK, welcomed the move to make cellular PINs mandatory, calling it a great move for the cellular industry.

"It's something of no-brainer - it's an absolute given in terms of security, as usability has always tended to win out over security, with the result that many mobile users don't bother with using a PIN, until their handset goes missing for whatever reason," he said.

"Even if the phone user's company has some form of remote wipe or similar security system in place, without a PIN, the data on the handset is going to be accessible until such time as the user notices it has gone missing and notifies their company - or triggers a remote wipe. The potential problem is made worse by the fact that many users have their most intimate company information on their mobiles," he added.

Professor John Walker, a visiting professor with the Nottingham Trent University's School of Science and Technology, was less welcoming noting that there is a danger that some mobile users might place all their security reliance on a PIN system, rather than implementing a remote wipe or similar `remote data destruction' facility.

"My observations suggest that PIN is not always the security mechanism that many people think it is. If you do a reset on an Android handset, for example, the data is ostensibly wiped, but can be recovered using suitable software - and the PIN is usually reset to its factory default of off when that happens," he explained.

Walker, who also is a director of Cytelligence Ltd, says that today's smartphones are similar to a handheld server in terms of their capabilities, meaning that a PIN security system is not anywhere near the kind of security that users' really need to employ to defend the data held on the device.

For most users, it comes down to convenience over security. That's why they don't use PINs - usually until it's too late and someone else has their hands on their company's data," he said.

Leading security analyst Graham Cluley, said that, overall, he was favourably inclined towards the Met's industry suggestion to make cellular PINs mandatory.

"I think there are two distinct groups here. Firstly, there are folks who use their smartphones for work purposes as well as social - and hopefully their organisation has already set rules and guidelines for safe use, enabled remote wipe, and enforced passwords - and then there are those who use their mobiles purely for fun, and don't get their work email etc., on them," he said. 

"Business users aren't going to be disadvantaged by having a PIN (or, better, a password) on their smartphone at purchase. So I don't see any problem there - and the very fact that social users will find that their smartphone has a PIN by default would probably wake up a huge number of them to the fact that phones even have this kind of security measure," he added.

Cluley went on to say that some users will raise concerns that users will see as: "Oh, my smartphone is password-protected therefore it must be safe from all threats and I don't have to do anything else."

And yes, he said, there does need to be greater awareness of the risks and how to protect against them. "But, on balance, I think if every smartphone shipped with a password that would be a good thing. Whether manufacturers will feel the same is, of course, an entirely different matter," he added.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews