French authorities have launched an official investigation into the recent robbery of Kim Kardashian. The reality TV star and wife of rapper Kanye West was robbed at gunpoint in her apartment in Paris by five men on October 3. The thieves stole a ring and other jewelry worth approximately $10 million (USD), and a couple cell phones.
While I am sure the jewelry has both sentimental and financial value to Kardashian, the cell phones may prove to be the more valuable items taken due to the potential nature of any personal or sensitive data they may contain. It’s a matter of how difficult it might be for the attackers to gain access to those devices.
Marie White, CEO and President of Security Mentor, stresses that the immediate risk to Kardashian depends on how well she has secured her device in the first place. Assuming she has locked her device with a passcode that isn’t written down on anything else the thieves took, access to information on the devices should be difficult and the risk would be low.
White explains, “However, if the phone has no password or passphrase, and no encryption, then all of her information on that phone should be considered exposed. If Kim uses her phone to store accounts, credit cards, other financial information, or passwords, or stays signed in to apps, those would all be at the criminal’s fingertips. The best advice is that should then immediately cancel all accounts and credit cards, and change passwords. With someone at the level of media prominence that she is, she may also want to work with a company specializing tracking whether any of her information is exposed.”
“There are two important considerations and one movie-plot exception,” says Andrew McDonnell, Vice President of Security Solutions for AsTech Consulting. “Newer iPhones render passcode brute-forcing nearly impossible via hardware security modules that protect each phone’s unique encryption key and will not release it without the correct passcode. With even a weak passcode in place, most actors—including most jewel thieves—are eliminated from being able to recover data. Once a phone is lost, Apple’s Find My iPhone service can be used to further lock down or even erase the device so long as it connects to the Internet at any point in the future.”
It is still theoretically possible to break into a secured iPhone. The thieves could put the device in Airplane Mode to ensure it does not connect to the Internet—and can’t communicate with the “Find My iPhone” service—and then attempt to manually override the hardware security modules to be able to brute-force the passcode.
As McDonnell puts it, though, this scenario is highly implausible. “I consider jewel thieves who also happen to be hardware security experts a movie-plot scenario and not likely even for high-profile victims. If I were Ms. Kardashian West, I wouldn’t worry about my data so long as I had passcodes in place and promptly set the devices to be wiped by Find My iPhone.”
Using a strong passcode and enabling features that automatically erase the device after too many failed attempts to log in are good advice for Kardashian—and anyone else who wants to prevent unauthorized access to personal or sensitive information on a mobile device.
Another concern with a lost device is that all of the data on it may be gone forever. Whether because the device is never recovered or returned, or because it ends up getting wiped clean after too many failed login attempts, that data may be lost. White points out, “Many people use their phones now to document their lives, such as their children’s photos, and such a loss can be devastating. In addition, any apps or entertainment purchased would also be lost if not backed up. Backups should always be done securely, however, as the theft of that information from the cloud could also put you or your family at risk.”
Chris Roberts, Chief Security Architect at Acalvio Technologies, details how Kardashian—or anyone faced with a similar situation—should address the theft of a cell phone. “By now, she should have already had the number disabled, or if not, then the police or investigators are triangulating the phone from its constant beaconing of the cell towers. She should immediately change all those passwords and passcodes—the ones used FROM the phone—the ones for the websites, the apps, the stored ones….the email, Twitter etc. ALL that should now be considered compromised or assumed that it MIGHT be—therefore be proactive.
Finally, Roberts adds, she should put a watch on any bank accounts, social media accounts or other accounts and services accessible from the mobile device to be vigilant for any suspicious or malicious activity.
I am sure being tied up and robbed at gunpoint is a harrowing experience, and it sucks to lose millions of dollars’ worth of jewelry. The theft of the cell phones, however, could have broader and longer lasting implications for Kardashian if the devices were not adequately protected, or the proper steps aren’t taken at this point.