By LEE GOMES
Corporate Security's iPhone Challenge
June 19, 2007
The big news in the tech world is the June 29 arrival of Apple Inc.'s iPhone; bets are being taken as to whether the device will be the company's next iPod-like smash hit or Newton-like debacle.
Amid the uncertainty, one thing is certain: The new device, much like its iPod cousin, will present security challenges for corporations. Nick Magliato, with the corporate-security company Trust Digital, explains why.
If you are a corporate IT guy, what should you say about iPhones in the workplace and connected to the corporate network?
You just say no. That's what a lot of corporate IT guys have said about iPods. Two years ago, it was a policy that was written down, but not enforced. Now, there is technology that prevents iPods from being connected to the enterprise network. Potentially, they could maliciously take information off the network in an unauthorized way. But the bigger risk really is their accidentally putting a virus onto the network.
How can that be a problem? Don't these devices just play music?
An iPod is nothing more than external storage that has a music player built into it. It's the equivalent of a USB thumb drive. People use their iPods to carry documents around and do things just like it was a thumb drive. And the iPhone will present the same challenge.
The risk is that there is an eight-gig device that's connected out onto the Internet, and we know there are bad things and bad people out on the Internet. Any information about you or your company that you put on the phone could be available to anyone on the Internet.
So when the iPhone comes out, companies should stick with whatever their external-storage policy is. The iPhone will look just like an external USB connection.
Have bad things actually happened with iPods inside companies?
About two years ago, the big story was the U.K. government banning iPods from all agencies. And I think most companies have policies about external-storage systems not being allowed without some sort of approval. But it's very difficult for a company or government to really control who is carrying what in their pocket when they walk through the front door, and what they are going to do once they get inside.
There are technologies that have come out to control anything that connects to the USB port. There are technologies that help enterprises manage anything that connects to a USB port on a PC.
Might there also be a risk with the phone part of the iPhone?
We are in an age when people want to be unwired. They want to be able to take their personal and professional life with them as they move. And the iPhone fits that category.
But anytime you have something that carries a lot of information about you and your company, it immediately becomes a target for security attacks. Hackers are always looking for the weakest link: What's the easiest way to introduce a virus into an environment that will get headlines? And thumb drives and iPods and mobile phones are starting to look like the weakest link.
Are mobile phones themselves safe from hackers?
Some text-message attacks have occurred in Europe, where a message will come into the phone and act like a virus, distributing text messages to other people on your contact list. It's like what we've seen on the Internet with e-mails.
Are there any other risks?
The other thing we hear a lot about with cellphones is simply about them being lost or stolen. If you've ever gone to the airport to collect a cellphone you accidentally left behind, you probably saw bins and bins of them that others had also left behind. And a lost phone is very difficult to secure.