Worms in the Apple?
Bryant McConkie
Photo by Sean Graff
Major security flaws make Apple’s iPhone too risky for use in law firms and other businesses that deal with sensitive data, according to a computer forensics firm, and some law firms have banned iPhone use for their legal business.
Since July, Sharon D. Nelson and John Simek of Sensei Enterprises Inc. in Fairfax, Va., have published a series of posts on her Ride the Lightning blog outlining what they say is the ease with which all manner of data can be recovered from a lost or stolen iPhone, including voice mail, text messages and even screenshots of user activity.
Simek says the major security flaw is the ease with which the PIN of the iPhone can be bypassed. Simply placing the device into “recovery mode” allows a sophisticated attacker unfettered access to the hardware. Though the iPhone 3GS supports hardware encryption (the first model to do so), the protection it affords is neutralized by extracting a disk image using forensic software. The disk image is automatically decrypted by the iPhone as it is transferred off the device.
“The difference with [the iPhone] versus any other phone that we’ve come across is the iPhone gives you the ability to get at the device before the operating system is fully booted,” Simek says.
In addition, Nelson and Simek say, the device saves screenshots of user activity that can be used to establish an audit trail, even if the user doesn’t intend to save any information to the phone.
Even worse, a YouTube video provides details regarding how forensic data can be recovered from an iPhone. Jonathan Zdziarski, an iPhone security expert, offers downloadable tools for such forensic recovery. The download is free to law enforcement officers.
Proponents of the iPhone note the device features a “remote wipe” capability, which allows data to be deleted if you’ve lost the phone. But Nelson and Simek say this is insufficient, since the phone must be connected to the cellular network for the data to be deleted.
“It only takes one lawyer in one law firm to have that phone go into the wrong hands to potentially cause multimillion dollars’ worth of damage,” Nelson adds, “not to mention malpractice claims for not using a secure phone.”
In February, Apple released a security patch for the iPhone and iPod Touch models. The company stated that the patch addressed several security issues, including the ability to use the device’s recovery mode to bypass a user’s PIN.
Apple attributed the problem to a defect in the USB control system. At press time, the security patch was available only through iTunes, and not on the company’s website.
THEY SAID NO
Bryant McConkie, a partner at the Salt Lake City firm Strong & Hanni, says security concerns forced his firm to ban the use of the device by its lawyers beginning last December.
“I think it’s a best-practices kind of decision,” he says. “I don’t think we had any problems with privacy or safeguarding client information in the past, but the firm is quite committed to making sure that we don’t have those kinds of breaches.”
He adds, “I think the firm is wise to take all kinds of precautions as it relates to information security, but I do love the iPhone. I think it’s hands-down the best productivity device.”
Mike Lucas, chief technology officer for Hogan & Hartson in Washington, D.C., says the BlackBerry is the only smartphone his global firm supports—a decision the firm made in early 2009.
“We didn’t feel that the iPhone was ready for prime time in our law firm world,” he says. “The BlackBerry devices are pretty robust; it’s a seasoned kind of technology that you are able to administer quite easily. So we felt more comfortable with that platform.”
A representative for Reed Smith says the firm uses BlackBerry devices exclusively as well.
