Earlier this week, I misplaced a device in public & lost physical access to it for ~19 hours (finally resulting in the device actually being returned). Here is my security audit for the event (w/some minor details omitted/redacted for #OPSEC purposes):
I went to a public place & put my #Android phone on the table where I was sitting. I had an absolute lapse of attention (I had just finished a 4-course dinner at a different location & was on the verge of a food coma), so I got up from the table & without realizing it, left the device right where I had put it down. ๐
I got home at ~10:15pm, promptly put my YouTube Watch Later playlist on my laptop & fell asleep watching #BTC content (as always). ๐ด
I woke up at 6:00am (as usual) & sat at my laptop to do some research. At ~9:30am, I looked at my smartwatch & noticed I had a bunch of notifications over the course of the night, so I went to grab my phone to check them properly & that was when I first realized it was missing. ๐ซจ
After turning my place upside down & looking in every conceivable place, I quickly realized that my phone was not at mine (I am mildly OCD & there are only so many places it would have even been because I'm typically wildly organized). ๐
THE PANIC HIT LIKE A FUCKING TSUNAMI. ๐
OK, we have procedures in place for this; it's no longer a drill & it's fucking GAME TIME. ๐ฎ
I immediately did a "Find My Device" lookup & discovered that the phone last pinged at 2am, at the last place I was before I went home. My stomach sank, because it had been offline for ~8 hours (it's a WiFi only device, so no constant cell tower pings). ๐
I immediately went back to the place where I left the phone & talked to the owner of the business, explaining my situation. They let me know that nothing was turned in to them by anyone, so it was not in the Lost & Found. I requested to see the camera feeds & they kindly obliged. I quickly realized that where I was sitting was actually a blind spot & none of the footage was going to help identify what I (or any other person) had done in that area. FUCK. ๐ญ
I thanked him & then immediately headed home to execute the lost/stolen device security protocol. I jumped onto my laptop & logged into all services that had active session on my phone to pull the device credentials remotely.
Here's how they all performed:
==========
#Google - Rating: 2/10
All Google services stopped syncing, but some apps DID NOT LOG OUT. They did not pull any new incoming data, but they also allowed full access to all historical data on some apps (including #Gmail & #Keep). This fucking blew my mind & was the most surprising out of all of the services for such an obvious security failing from such a large company. ๐คฏ
==========
#X / #Twitter - Rating: 8/10
Full sign out within the app; it performed about as good as one would reasonably expect. HOWEVER, it also allows for Google-based login, so since Google dropped the ball & didn't fully sign out of all apps, there is a chance that I could have used one of the device's latent active Google app logins to gain access. While I don't have Gmail & X connected, some people might; not ideal, but it seems they've done about as much as they can on their side. ๐ฅ
==========
#Meta: #Facebook / #Messenger / #Instagram - Rating: 2/10
The Facebook app isn't installed on my device, so no access would have been possible since it wasn't signed in at all in the first place, but I still was able to kill the last login session on the device. Messenger however, DID NOT pull the session credentials when I killed the Facebook session. I was completely unaware of this even being an issue, but it seems you would have to pull logins for both apps separately (which seems like a liability). Instagram popped up a "logged out" message, but when I hit the "back" button, I had FULL access to the account; HUGE fucking fail.๐คฆโโ๏ธ
==========
primal (nprofileโฆmdf3) / #Primal - Rating: 3/10
Primal DOES NOT have session controls, so you can't remote deactivate a login. However, it DID require biometrics to copy or reveal the #Nostr nsec (which is a GREAT feature). Even still, this means that anything could have been posted to the account & the #Lightning wallet could have been drained via zap by anyone who was savvy about the platform/network (good thing nobody is really here yet). ๐ฌ
==========
#Signal - Rating: 10/10
I decided to wait for 72 hours before remotely pulling credentials (since all my correspondence gets burned anyway & the likelihood of a breach was essentially at zero in the moment), but I never needed to execute it because I got the device back so quickly. However I HAVE remotely pulled credentials for Signal on a device before & already know that it works flawlessly from prior experiences. Signal is fully locked down in every way by default; no surprises there. ๐
==========
#2FA - Rating: 10/10
I'm not going to disclose my exact 2FA methods, but I do have the ability to pull 2FA device credentials remotely, which worked flawlessly. ๐
==========
#Bitcoin Wallet - Rating: 10/10
I'm not going to disclose my specific storage setup, but I do employ multi-sig & only use a read-only service to check holdings (which is locked down w/a complex alphanumeric + symbols password anyway). I have zero ability to transfer funds without a VERY complex procedure (since I am accumulation-only & only send funds into #ColdStorage). The setup worked exactly as expected. ๐ฆพ
==========
DEVICE RETRIEVAL :
The reason that I got my phone back was because my device has an option to place a message on the lock screen. Back in 2022, I decided to set this to:
[contact info] REWARD IF FOUND
This is the ACTUAL reason why the device was able to be retrieved. The person who found the phone saw the message, held onto the phone thinking someone may come back looking for it, but since I was long asleep & unaware it was even missing, they just held on to the device & continued on with their night. When they woke up the next day, they sent a message to the contact info on the lock screen & I saw the message pop up on my laptop, so we were able to organize a meetup; I had the device back in hand within ~15 minutes of the message exchange. ๐ค
I unlocked it to show it truly was mine, then immediately went to the Digital Wellbeing app to ensure no unlocks had been performed & that no apps had been active (just for extra peace of mind). An unlock was highly unlikely anyway (since I use full, complex, unique alphanumeric + symbols passwords wherever possible), but it just reaffirmed that convenience & #security are on opposite ends of the spectrum. When given the choice, ALWAYS choose security over convenience. ๐
I gave the person the equivalent of ~$20 (which they initially refused, but I insisted they took) since they saved me a METRIC FUCKTON of hassle & headache. ๐
==========
SUMMARY:
All said & done, I was quite surprised at the results of this event. I was mortified that so many well-established #tech companies have such gaping security holes. However, I was pleasantly surprised that there are still good humans out there & at how secure Bitcoin really is when handled properly. ๐โโ๏ธ
I am also quite grateful for this experience so that I could better understand the limitations of different services in a lost/stolen device scenario; it's not everyday you can do a full device audit like this in an ACTUAL in-the-wild scenario. ๐ค
Thank you for coming to my TED Talk. I have since invested in a phone leash. ๐ค