Mobile Devices and Wireless
On this page:
Every day, mobile devices are lost, stolen, and infected. Assume for a moment that your mobile device has been stolen. What would you do?
- What stored data was stolen? (think about both work and non-work)
- What stored passwords were stolen?
- Do they have your 2-step authentication (MFA) codes?
- What other accounts and services might have been compromised? (Dropbox, shopping, credit cards, bank accounts, work accounts, Facebook, ...)
- Did you lose your only copy of anything important?
Mobile devices can store important business and personal information, and are often be used to access University systems, email, banking information, work and personal accounts. Where this is the case, they need to be protected like any other computer.
Important: Report the loss or theft of devices used for work to the ITS Support Center (info below) so they can help identify and address potential compromised accounts or data, including compromised restricted data, which requires additional action on the part of the University. See the lost/stolen device checklist below for additional steps to take.
A good rule of thumb is not to store anything you're not willing to lose or share with the world on a mobile device. This said, following are some steps you can take to help protect information on these devices. Some of these steps may require additional configuration/setting changes:
- Password-protect your mobile device with a complex password, and be sure your device requires a password to start up or resume activity -- but still don't store anything you're not willing to lose.
- Set it to automatically lock after a short period of inactivity.
- Keep it with you or lock it up securely before you step away -- even just for a second. See Physical Security for more information.
- Don't store sensitive information. Encrypt your device or sensitive contents if you do. See below for a special note about restricted data.
- Don’t store passwords unless they’re encrypted.
- Run current, up-to-date versions of the operating system and applications. Remember to sync often so you get available updates. Always install updates when your carrier tells you they are available.
- Beware of phishing: Don't open files, click links, or call numbers in unsolicited emails, text messages or IMs (instant messages).
- Be suspicious of links that arrive via text or email.
- To be even safer, don't click on emailed links on your phone. It's difficult to tell where they will actually take you. If your phone has a link preview feature, use it.
- Don't jail break your phone or tablet. This defeats built-in software safety features, so it's risky.
- If your mobile device has built-in firewall or access control functionality, activate them. Default settings are typically acceptable for most people.
- Avoid using auto-complete features that remember user names or passwords.
- Turn off unnecessary services:
- Disable or remove applications (apps) and plug-ins that you don't actively use
- Disable Bluetooth, wireless & IrDA (infrared) when you're not actively using them
- Turn off GPS and geotagging when you're not actively using them. These can allow your location to be tracked without your knowledge.
- Set devices to “ask” before joining new wireless networks (see below for more information about wireless).
- Periodically go through your device's list of known wireless networks and delete ones no longer needed (usually found under network, wireless, or airport settings)
- If your device has a web browser, set the browser to block pop-ups. For added privacy, also set the browser to limit the cookies it accepts. For example, some devices let you set the browser to accept cookies only from sites you visit.
- Additional browser security recommendations are available at http://its.ucsc.edu/software/release/browser-secure.html, though not all features are available on mobile browsers.
- Securely delete all contents before discarding, exchanging, selling or donating the device.
- All devices connecting to UCSC’s network or services must meet UC & UCSC security requirements.
- Back up or sync your data regularly.
- Set your device to erase itself after repeated failed log-on attempts.
- Enable remote wipe.
- Enable location tracking, keeping in mind the privacy implications.
Related articles (older articles but still relevant):
- Set the device to display a "call if found" phone number.
- Immediately report lost or stolen devices to the police: Report to UCSC police for campus incidents and local police for off-campus incidents (phone is best)
- For phones, notify your cellular carrier -- see if they can deactivate the device.
- Change all passwords stored or used on the device, including email, Dropbox, banking, etc.
- Un-register your device from any service that uses it for 2-step authentication (MFA).
- Notify credit card companies and banks if you used the device for shopping or banking.
- Try to track its location, if possible.
- Try remote wipe if sensitive information, passwords, or credit cards were stored.
- Don’t work with sensitive UCSC information on a mobile device unless you can ensure the device meets UCSC’s security requirements.
- Restricted data stored on mobile devices should be encrypted. This includes email, text messages, instant messages, documents, removable storage cards/devices, etc.
- NOTE: Electronic protected health information (ePHI or "HIPAA data") MUST be encrypted on portable devices and may not be stored at all on non-University devices.
- Encrypt passwords that provide access to restricted data. Even better, encrypt all stored passwords.
- Make sure you have a secure (encrypted) connection before working with sensitive data.
- Use known, encrypted networks, such as UCSC’s EDUROAM SECURE WIRELESS and CAMPUS VIRTUAL PRIVATE NETWORK (VPN), available to UCSC students, researchers, faculty, and staff (also see below for more about eduroam, Campus VPN, and wireless).
- Make sure web pages have https (not http) in the web address (URL). The “s” stands for “secure" and tells you that the information you enter is being encrypted as it is sent. Look for this before logging into anything.
- Coffee shop/hotel/airport-type wireless, including CruzNet is not encrypted.
- If you’re not sure, assume it’s not secure.
Information sent via standard wireless, including CruzNet and public hotspots, is especially easy to intercept. To protect yourself:
- See the guidance above about sensitive information.
- Don’t connect to insecure or unknown wireless hot spots/access points if you’re concerned about security or privacy (or your passwords).
- As mentioned under "Protecting mobile devices" above, set devices to “ask” before joining new wireless networks.
- If you use CruzNet or other public wireless to connect to Facebook, Snapchat, Instagram, Twitter, etc., use a different password for those sites than for banking, shopping, or UCSC.
- For additional information about home wireless security, see the Home Wireless Security page at onguardonline.gov
eduroam (education roaming) is a secure, encrypted, world-wide roaming wireless service developed for the international research and education community. It is available on the UCSC campus and allows UCSC students, researchers, faculty, and staff to obtain secure Internet connectivity across campus and when visiting other participating institutions with their laptop or supported mobile devices. See http://its.ucsc.edu/wireless-secure/ for information and set-up instructions. Follow the instructions and do a full eduroam installation including installing the UCSC self-signed certificate.
Note: You should only have to enter your CruzID Blue password into eduroam when you initially set it up. If your device asks for it again later, don't do it. It could be that you are too far from the network to do anything useful and that is causing login failures. Or it could be that you are being offered a rogue login to a device masquerading as UCSC that is attempting to steal your password. Either way, you shouldn't have to re-enter your password for eduroam to work once it has been set up.
Campus Virtual Private Network (VPN):
UCSC's Campus VPN (virtual private network) encrypts your Internet traffic and provides a secure (encrypted) connection to the UCSC network from off campus. The Campus VPN is available to all campus members with a CruzId and Gold password. See http://its.ucsc.edu/vpn/installation.html for information and set-up instructions.
Use of Non-UC Technology Services:
"Non-UC services often seem like good options to meet our business (and personal) needs, and under certain circumstances they are appropriate to use. It is important to remember, though, that when you use these services, your data is in someone else's hands." more...
Smartphone Security Checker from the Federal Communications Commission (FCC):
10 customized steps to secure your mobile device! website...
How Do I Protect the Information on My Smartphone?
Simple steps to protect your smartphone from the Multi-State Information and Analysis Center (MS-ISAC): http://msisac.cisecurity.org/newsletters/2013-02.cfm
Rev. Apr 2016