The Mac Lawyer Using Macs in Law Firms | Attorney Ben Stevens

The TRUTH About iPhone Security

By J. Benjamin Stevens on Posted in iPhone, Security

Is the iPhone secure? That question has been hotly debated in legal circles since its release. To date, the loudest replies have been by those shouting “No” (see here, here, and here) but does that make that answer true? Ben Stevens of The Mac Lawyer and Finis Price of TechnoEsq now enter the fray to try to set the record straight.

The anti-iPhone crowd makes the following three types of claims to support their position that the iPhone is the “the most insecure phone we’ve ever seen” and that “the words iPhone and security do not belong in the same sentence”: (1) it’s too easy to jailbreak; (2) there are encryption weaknesses; and (3) it stores screenshots.

Finis is both a practicing lawyer and computer forensics expert, and he recently participated in the Droid v. iPhone debate in the ABA Journal.  With these impressive credentials, he responds to each of those allegations as follows:

  1. The fact is that many so called “smart”phones can be cracked and the data stolen. Of course, the same can be said of laptops, and how many lawyers have theirs encrypted? One key difference with the iPhone is that it allows you to remotely wipe the email in the event that is ever lost. Starting back with the iPhone 2.1, it is possible to have the iPhone wipe its data after ten invalid tries, with each attempt being longer and longer. How many attorneys can do that with their laptops? Further, if your corporate email is set up correctly, your mail disappears if your password expires. While this can be annoying, it is more secure than the BlackBerry, which stores the email on the device itself. Also, the iPhone holds only 150 emails at most, which while annoying is more secure than the BlackBerry, which stores much more. Therefore, even if you use POP email, you are only risking 150 emails. 
  2. The allegation that the iPhone has encryption weaknesses rings hollow. There are about 100 security apps in the App Store which allow you to encrypt the iPhone to protect it in case it is lost or stolen. You will soon be able to add biometric security to the iPhone through apps if you so desire (learn more here). The fact is that since the 3G-S version was introduced two years ago, the iPhone has been as secure, if not more secure, than any laptop – period.
  3. I believe that the argument about storing screenshots is outright silly. Yes, the iPhone gives you the ability to store screenshots in your photo album, but you have to work a little by pressing a couple of buttons every time to make one. Despite the clamoring made by some, this is not done automatically. Moreover, the only way you would not know about this happening was if you never looked at your photos. I will acknowledge that I have accidentally done this on my home page, but I have never done in by accident within an app.

Is anything 100% secure? Of course not. Law offices are subject to being broken into and/or having wandering eyes (such as cleaning crews) access client information. Legal pads and paper files get lost or misplaced, and how secure is a briefcase to someone who wants to get inside of it? One could argue that even the information stored inside the lawyers’ brains is not secure. Give Jack Bauer ten minutes and I guarantee that he would get information out of the most ethical, security conscious attorney in the world.

All of this might make one wonder why iPhones are being targeted and unfairly branded as being “unsafe.” A skilled forensic expert gets physical access to a laptop computer, he can extract all sorts of information, even that which was thought to have been deleted. Yet we find it odd that we don’t hear anyone claiming that it is unethical for an attorney to use a laptop, as some have stated about the iPhone.   One cannot help but wonder whether those are merely the ramblings of fear-mongering PC-centric dinosaurs or those interested in selling us something?

Addendum from Finis:

One of the comments below references a forensics white paper about the screenshot issue.  In that paper, he actually had to use a method called "carving" to get those images. This entails using a program to search for the hexadecimal values for image files in the temporary memory of the device. This results in over 2,000 images – most of which are not screens, being reported. These are then widdled down to whichever screenshot haven’t been overwritten. This is not the same kind of screenshot we take with the iPhone, but rather a function of the transition effect the iPhone uses. However, it should be noted these files aren’t even stored in an image format, they are simply bits and pieces of temporary memory which can be retrieved using a forensics tool and a LOT of forensics training.  Using a carving tool, a forensics examiner could retrieve ANY image displayed on ANY computer device which outputs to a display. So the terminology used of the iPhone just taking and saving screenshots is misleading. These are not screenshots in the ordinary sense users of the iPhone use or can access.

We invite your input using the Comments section below.

  • bradLEY KAPLAN

    Great comments ! My firm cut off mobile email to iPhones and Palms in favor of Blackberries recently. The security issues were the basis of their argument. The final issue used by IT was that they can remotely push out things to the Blackberries and not to the Iphones ? The Blackberry is a better telephone than the Iphone, but other than that it does not compare, and who makes telephone calls anymore ??
    Really hoping that Iphone 4.0 will address more security issues and that Verizon will have it soon so I can start to push again. I would get an Ipad in a flash if RSA security can work on it to connect to OWA and our terminal servers just like I can on my Mac.
    HELP ME IN CINCINNATI !!!!

  • http://www.inter-alia.net Tom Mighell

    Guys, I’m no iPhone hater here – I love my iPhone. But I have to ask about your third point, that the iPhone does not store screenshots. I’ve been reading the blog of Jonathan Zdziarski (http://www.zdziarski.com/blog/), and he states that the iPhone takes screenshots as it zooms in and out of applications (to create the animation of zooming), and stores these screenshots – these shots show the last thing the user was looking at before they changed screens. He also shows examples of screenshots saved by the iPhone during this process in a white paper on iPhone forensics, which is authored by a number of different people (and available at http://viaforensics.com/wpinstall/wp-content/uploads/2009/03/iPhone-Forensics-2009.pdf).
    Is there something you guys know or have seen in looking at the iPhone that would contradict Jonathan’s findings? I agree it is extremely unlikely that a user will “accidentally” take screenshots without their knowledge, but according to the above paper this happens behind the scenes, and doesn’t appear in Photos or any front-facing app.

  • http://www.TechnoEsq.com Finis Price

    Tom,
    Here is my response from your comment on TechnoEsq:
    If you read that forensics whitepaper, he actually had to use a method called ‘carving’ to get those images. This entails using a program to search for the hexadecimal values for image files in the temporary memory of the device. This results in over 2,000 images, most of which are not screens, being reported. These are then widdled down to whichever screenshot haven’t been overwritten. This is not the same kind of screenshot we take with the iPhone, but rather a function of the transition effect the iPhone uses. However, it should be noted these files aren’t even stored in an image format, they are simply bits and pieces of temporary memory which can be retrieved using a forensics tool and a LOT of forensics training.
    Using a carving tool, a forensics examiner could retrieve ANY image displayed on ANY computer device which outputs to a display. So the terminology used of the iPhone just taking and saving screenshots is misleading. These are not screenshots in the ordinary sense users of the iPhone use or can access.

  • Michael S.

    I do own an iPhone and I love it. However, it is not a very secure device, and the Blackberry is the only device I authorize to connect to my company’s email system.
    The reasons why the Blackberry is preferred by security-minded institutions are:
    1. The Blackberry is a managed device. Any feature can be restricted in order to maintain the security of the data it contains.
    2. The Blackberry can be wiped remotely if lost or stolen
    3. The Blackberry has a long history as a business device, used by government agencies and financial institutions. It has undergone a tremendous amount of security testing.
    The iPhone on the other hand was designed as a consumer device, and is constantly the target of successful exploits. It cannot be managed, and while it could be wiped out remotely (if the owner has a MobileMe account), the wiping process is slow and error-prone. During that process, the iPhone can be rebooted, interrupting the wiping process (except for the iPhone 3GS).
    Another problem with the iPhone is the 4 digit password. And while this is sufficient to protect personal data, no enterprise system should be protected with such a simple password scheme. Also because of the large keypad on which one “types” the pass-code, an onlooker could deduce the code by the position of the user’s fingers.
    This is why I will trust the iPhone with my photos and web browsing history, but not with sensitive corporate data.

  • Matthew C

    The posts above and many points in the main article are incorrect. The iPhone 3GS has full 256-bit encryption of the entire device, at all times. It cannot be disabled. The remote wipe facility on the iPhone 3GS is instantaneous; it simply sends an instruction to delete the encryption key, making all the device data inaccessible. The iPhone Configuration Utility allows enterprises to set detailed security management policies for multiple iPhones, which the users cannot change. These policies include complex passwords, required password changes, application restrictions, password attempts before auto-wipe (can be set to as few as you want) and so on. Everything an enterprise needs is built in to the iPhone 3GS and iPhone Configuration Utility. iPhone OS 4, coming this summer, will contain even more security features including push configurations over the air. We are paranoid in our business; we use iPhones in our business with security policies enforced centrally, plus the built-in encryption, and they are super-secure.
    I should add that the 3G and original iPhone are nowhere near as secure as the 3GS. They do not have full device encryption, and therefore the remote wipe of a 3G can take almost an hour, because once the instruction is sent to the device, it must wipe itself bit by bit, rather than just erase one encryption key. I would not allow the 3G or original iPhone in an enterprise, but the 3GS is very, very secure.

  • Steven Goldman

    Hi Bradley would you mind sharing what software you are using for terminal services?
    Thanks,
    SG

  • IT Manager

    I am a personal IPHONE user. But, the talks of the IPHONE being more secure than the BB are just nonsense. I ran a wireless apple network for several years and now one of my responsibilities is to handle wireless.
    Until apple invents a centralized platform like Blackberry (BES Server). Than you are no where near as secure as a BB. Everyone talks about the IPhones password protection (that is the highlight of it’s security).
    Blackberry’s use “Triple DES” encryption which for all the people talking about apples 256 bit encryption that is childs play compared to Blackberry.
    Data sent on a Blackberry first goes over your carriers encrypted wireless network, then throught your corporate encrypted network (through your BES server), from there the data is encapsulated and transmitted via RIM’s worldwide network).
    So Apple you want to be in a corporation that value’s security do the following:
    - make your device more secure
    - design a centralized platform where all IPHONES can be controlled from
    - build a private network that will handle all data traffic from all your customers
    Then come talk to me.
    P.S my personal phone is an IPHONE (PERSONAL).

  • Rookie

    I know this is very much on behind, but I just came across this article while doing research.
    I second @IT Manager’s comments about end-to-end encryption and centralized management with the capability to set and enforce security policy on all handsets, including secure wipe. If Apple wants to get serious about enterprise adoption, don’t look at the handsets, it should look at the BES server. The iPhone config utility is a start, but its not there yet.
    As an IT security manager, I’m not anti-iPhone(other smartphones have the same issue), I’m anti-chaos and anti-getting fired.
    @Finis Price
    “Of course, the same can be said of laptops, and how many lawyers have theirs encrypted?”
    They don’t??!!
    Not using a transparent, widely available, easy-to-use, and cheap software tool to protect client data from a well-known and likely risk sounds like reckless disregard to me. Can’t clients sue their own lawyers over something like this if their data gets disclosed?

  • http://www.technoesq.com Finis Price

    @Rookie
    No, most attorneys do not have their machines encrypted. Most states have rules that this is not against our ethical rules of conduct. I assume you would agree every attorney’s office should also have a vault to protect client data as well?
    Finis

  • Danial Smith

    Passcode settings allow you to disable simple passwords and use a password of your choosing. True, lawyers are not required by state ethical rules to encrypt laptops.
    Nevertheless, if you are damaged by a lawyer’s failure to protect your confidential data, you may want to discuss your rights with a (different) lawyer.
    Sent via iPhone.

  • Pingback: BBB Search » iphone security

  • Pingback: BBB Search » iphone security