Devices Lost? Stolen? Seized?

Digital First Aid Kit - Devices Lost? Stolen? Seized?

The Digital First Aid Kit

The Digital First Aid Kit aims to provide preliminary support for people facing the most common types of digital threats. The Kit offers a set of self-diagnostic tools for citizen, human rights defenders, bloggers, activists and journalists facing attacks themselves, as well as providing guidelines for digital first responders to assist a person under threat.

Devices Seized? Lost? Stolen?

Is your device lost? Has it been stolen or seized by a third party? In any of these incidences it is very important to get a clear picture of what happened, what kinds of data and accounts may be vulnerable as a result and what steps must be taken to prevent the leaking and misuse of your information, contacts and accounts.

Start by answering some simple questions:

What happened?

  • What sort of device are you missing? A computer, mobile phone, tablet or an external hard drive?
  • When and where did you lose the device?
  • How did you lose the device? Was it stolen by another person, taken by a state authority or did you simply lose track of it?
  • Is the device still missing?

What kinds of security protections did the device have?

  • Was the device protected by a password or other security measures?
  • Which operating system was running on the device? Was this a legal version, or was it an illegal, jailbroken or rooted version?
  • Does the device have full disk encryption turned on?
  • What state was your device in when it was lost? Were you logged in? Was the device on but password-locked? Was it sleeping or hibernating? Completely turned off?
  • Do you have remote access to the device?

What was on the device?

  • Make an inventory of the different types of sensitive information that was on your device. Examples include email, chat history, social media, contacts (email, Skype, chat, etc.), files, location data, credit card data and more.
  • What sort of base software was it using, i.e. Windows, OS X, Android, iPhone?
  • Did you use encryption tools for email or chat (such as PGP and OTR)?
  • What accounts does this device have access to? This can be email, social media, chat, IM and banking accounts that the device can access, browsers that have saved passwords to account, cookies that show your internet browsing history, authentication tokens such as fingerprint on iPhone 5 and accounts that use the device for secondary authentication.
  • Do your accounts have saved passwords and/or automatically log in? This is common for email, Skype and other chat programs, or if you save your passwords in your web browser instead of a password manager like KeePass

First steps to mitigate the problem:

If your device is still missing

If your device is lost or seized by a third party and you did not get it back, the first steps to take are the following:

  • Step 1: When your device has access to accounts (email, social media or web account) remove the authorization for this device for all accounts. This can be done by going to your accounts online and changing the account permissions.
  • Step 2: Change the passwords for all accounts that are accessible by this device.
  • Step 3: Turn on 2-factor authentication for all accounts that were accessible by this device. Please note that not all accounts support 2-factor authentication See 2-factor notes from ‘Account Hijacking’ section.
  • Step 4: If you have a tool installed on your lost devices that allows you to erase the data and the history of your device, use it.

If you get your device back

If your device was lost, taken by a third party or had to be handed over at a border crossing but you have it back, be careful as you do not know who has had access to it. Depending on the level of risk you’re facing, you may want to treat the device as if it is now untrusted or compromised. Ask yourself the following questions and assess the risk that your device has been compromised:

  • How long was the device out of your sight?
  • Who potentially could have had access to it?
  • Why would they want access to it?
  • Are there signs that the device has been physically tampered with?

For more extensive threat modeling assistance see the Surveillance Self Defense Guide.

If you have lost contact with your device for an extended period of time and you feel there is a chance that something has been installed on it, please consider the following:

  • Computer: reinstall the OS from scratch and recover all documents from the last backup and scan all your documents and files with antivirus software. For more guidance on this, see cleaning up your device in the malware section. In some cases, reinstalling the OS might not be enough. Reinstalling BIOSes and firmwares from a trusted source might be required.
  • Phones and tablets: Depending on your level of risk and the circumstances under which your mobile phone or tablet was taken, it may be advisable to not use it again. If possible, migrate all of the data off of your phone or tables and purchase a new one. If you cannot change devices but you suspect it might be compromised, take precautions and do not use your phone or tablet for sensitive communication or opening sensitive files. Do not take it with you when going to sensitive meetings or have it with you when discussing sensitive topics.

Don’t stop here! Important next steps:

Whether your device is still lost or you have it back, complete the following steps:

  • Step 1: Think about what you used this device for - is there sensitive information on this device, such as your contacts, location or the content of your messages? Can this data be problematic for someone?
  • Step 2: Inform your network. Inform the key and high-risk contacts you work with privately. If you feel comfortable doing so, post a list of potentially compromised accounts on your website or a social media account.
  • Step 3: Do you use the same password on other accounts or devices? If so, perform this process on those accounts. They may also be compromised.
  • Step 4: If possible, review the connection history/account activity of all accounts connected to the device (available feature on Facebook, Gmail and other email providers). Check to see if your account was used at a time when you were not online or if your account was accessed from an unfamiliar location or IP address. See the Account Hijacking section for further details.
  • Step 5: Check the account settings of all accounts connected to the device. Have they been changed? For email accounts, check for auto-forwards, possible changes to the backup/reset email address of phone numbers, synchronization to different devices, including phones, computers or tablets, and permissions to applications or other account permissions.
  • Step 6: Repeat the review of the connection history/account activity - at least once a week for a month - to ensure that your account does not continue to show strange activity. If the history/account activities continue to show strange activity, proceed to the malware section.

Take extra precautions against attackers:

Prevention is the key to mitigating the risk of having your device seized, lost or stolen. However, simple actions can protect the data on your device if it is seized. Think about encryption, passwords, pin code locks for cell phone backups, tools that allow remote data wipes, installation of alert software in the case of theft. Prey Anti-Theft is a useful cross-platform and open source device tracking tool.

Investigate

If your device has been stolen or seized by a third party, it is good to understand why this has happened. Who do you think might be interested in targeting you or your organization? Is this threat related to your work? In the section on helpful resources there are links to guides that provide tips and tricks on how to prevent digital emergencies and be proactive about your digital security.

Helpful resources

Security in a Box Threat modeling, Surveillance Self Defense Guide

About The Digital First Aid Kit

The Digital First Aid Kit is a collaborative effort of EFF, Global Voices, Hivos & the Digital Defenders Partnership, Front Line Defenders, Internews, Freedom House, Access, Qurium, CIRCL, IWPR, Open Technology Fund and individual security experts who are working in the field of digital security and rapid response. It is a work in progress and if there are things that need to be added, comments or questions regarding any of the sections please go to Github.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.