The ABA Journal reports on a blog post from attorney Sharon Nelson,
the president of security company Sensei Enterprises, in which Nelson
says that a 50-person law firm (which she does not identify) abandoned the iPhone because of the
security risks that Nelson described in this article
from the ABA Law Practice Magazine. The article says that if a
sophisticated hacker gains access to your iPhone, using the right tools, he can bypass iPhone security features and access data.
Security is
very important for lawyers, but articles like this frustrate me a
little. First, the hacking required is very sophisticated. The hacker
mentioned in that article is Jonathan Zdziarski, the foremost authority on iPhone security who literally wrote the book on iPhone Forensics.
I have no doubt that if Zdziarski gets your iPhone and wants to do you
harm, you are in trouble. The random guy who picks up the iPhone you
left on a subway will almost certainly not be Jonathan Zdziarski.
Second, the
iPhone is not unique when it comes to security risks. What about the risk of losing a briefcase containing confidential client papers? What about the risk of losing a laptop computer containing hundreds of gigabytes and many years of confidential information? Is it reasonable for a law firm to bar its attorneys from using briefcases or using laptops? It would take a skilled hacker to bypass the password on your laptop (assuming that you are using one), but I have no doubt that there are a larger number of skilled Windows hackers and folks who can figure out how to open a briefcase out there than skilled iPhone hackers.
Law firms need to be concerned about security. Just last month, the FBI issued issued an advisory that it had seen “noticeable increases” in
efforts to hack into the law firm computer systems. Smart hackers can exploit holes in network routers to tunnel into a law firm, especially one that doesn’t have the latest security patches. Moreover, security experts will tell you that while computer crime is an important risk, so is social engineering. How easy would it be for a person to walk into your law firm, perhaps wearing a genuine looking uniform, or perhaps entering when a receptionist is away or distracted, and gain access to all sorts of paper files or computer terminals? And if a criminal calls lawyers and staff pretending to be from IT and asking for the user’s password, would anyone at your firm give it to them?
I can’t fault security firms such as Sensei Enterprises for issuing news stories which scare people. It helps to get them new customers, and if all law firms hired smart security consultants, the trend noted by the FBI last month would surely start to reverse itself. I also understand that because the iPhone is not only popular, but also a pop culture symbol, one can get a lot more attention writing a story about iPhone security than talking about Palm Treo security or Android security. Nevertheless, I think that people need to look at the big picture.
The problem is not iPhone security. The problem is security. Period. This includes computer security, smartphone security, physical office security, social engineering security, etc. If an attorney puts confidential information anywhere — be it on an iPhone, a laptop, or a legal pad — the attorney needs to be very cautious about what happens to that information. If you lose your briefcase, there is little you can do besides retrace your steps and hope to find it. If you lose an iPhone, you have the option of trying to determine its location using a service like MobileMe or you can immediately tell your system administrator (or use MobileMe) to remotely wipe the iPhone. It won’t work if a thief has already removed the SIM chip, but at least those are options that you don’t have with a lost briefcase or even a lost laptop.
Apple has already done a lot to improve security on the iPhone, and I’m sure that they will continue to do more. A lot of smart IT folks at major law firms have analyzed the state of iPhone security, and most of the most profitable firms in the country allow the use of iPhones. Indeed, just a few days ago, John Cox wrote an article in Network World entitled iPhone Winning Over Some Corporate Security Skeptics. That article quotes Andy Jurczyk, the CIO at Chicago-based law firm Sonnenschein Nath & Rosenthal LLP and a self-described security extremist, who says that there are currently more security measures for the Blackberry than for the iPhone, but nevertheless he became satisfied with the level of iPhone security once Apple added Microsoft ActiveSync support in 2008.
Each law firm needs to make its own decisions on security. Do you let your attorneys use a laptop at all? Have you ever hired a consultant to do a security audit? How easy is it to gain physical access to your office? What policies do you have in place when a disgruntled employee leaves? Each firm needs to decide what is best for its users, but when I hear that a firm decides to prohibit the use of laptops or iPhones or any other particular device, I can’t help but wonder whether the right focus is being placed on the most critical security risks.
Having said that, if you are an attorney using an iPhone, please use your iPhone’s passcode lock feature, and please don’t expose your iPhone to potential trouble by jailbreaking your iPhone.
Thank you for your well reasoned article. Unless you are Jason Bourne and have a crack CIA assination squad following you, you can rest assure you iPhone data is safe, as long as you enable the password lock feature.
The scare tactic article on iPhone security reminds of the flurry of security articles regarding the use of email by law firms years ago. Same issue then — were emails more or less secure than faxes? Than US mail? This issue is relative security.
The lost laptop is clearly the more crucial security issue (just ask Blue Cross) — wonder why there’s no “remote wipe” available for laptops.
Unfortunately the password lock feature on the iPhone isn’t that hard to defeat, even if you’re not Jonathan Zdziarski, especially now that he’s posted a YouTube video explaining how to do it.
The laptop question is very well taken. That’s why it’s a no-brainer that ALL laptops that could possibly contain sensitive information should have their hard drives encrypted. Easy and free to do – here’s an article that even explains how: http://www.officeforlawyers.com/lawtech/truecrypt.htm.
I agree that the issue is security, but just because you may not have perfect security in all areas doesn’t mean you should shrug and accept flawed security in one area. Until Apple fixes their security issues (most notably the encryption and passcode issues) I can’t in good conscience recommend iPhones to my business clients.
And I anxiously await a similar analysis of Droid security.
Well, passcode can still be a guarantee of data security, but for the revisions released at the end of 2009. Old devices can be dumped and their data can be extracted with a certain amount of knowledge.
By the way, do you create backup of iPhone? This can be a weak point too. As new sort of tools become available on market, like Oxygen Forensics for iPhone. It can read password protected backup files made by iTunes.
So, yes, the problem raised here is much more wide than just a data on iPhone…