iPhone Already Revealing Security Risks

If you check out Steve Matthews‘ great post today, Web Law Predictions for 2010, there is one that is already starting to stand out:

I’ll go out on a limb, and predict that 2010 will be the year a law firm somewhere will declare smart phones to be a security risk, jamming transmission internally or banning usage from inside the firm.

The ABA Journal recently noted concerns raised by Sharon Nelson and John Simek of Sensei Enterprises about the use of iPhones by lawyers. The major issue is that handheld device takes screenshots of documents in order to provide its trademark zoom and click functions. The problem is that these screenshots may contain confidential client information.

Jonathan Zdziarski, an iPhone hacker and data-forensics expert, explains in this video how to break the iPhone’s passcode lock, which would then allow access to all the confidential information.

Nelson observes that some firms are already taking proactive measures,

Apparently, one mid-sized law firm (50 plus lawyers) took the article very seriously. The firm has cut off all access to the MS Exchange Server for iPhones. Lawyers who have iPhone are being required to get BlackBerrys.
[emphasis added]

Check out the complete paper by Nelson and Simek on the subject, Why Lawyers Shouldn’t Use The iPhone: A Security Nightmare. Their 2006 book written with the ABA, Information security for lawyers and law firms, may also be of general interest.


  1. I hope they don’t. I know many law firms that out source their I.T. infrastructure to companies that have complete access to their email, databases, and on line systems remotely … is that a security risk? Then there are the law firms that use services such as Gmail to manage and maintain their email containing confidential information or the staff that bring their laptops home and traveling which contain completely insecure operating systems and unencrypted data.
    If they really are serious about security, I would suggest iPhones are the least of their worries.

  2. I think I’m with Michael on this. Cracking a computer is relative child’s play — as is breaking into an office and a file cabinet. So it’s not just iPhones that represent a risk. Think of briefcases.

    Until law firms make their lawyers use, and regularly change, complex passwords, encrypt every document, send email only over secure lines with encryption, cross borders with empty laptops, and outsource only to firms that pass certain security standards — it’s silly to worry about iPhones.

  3. I don’t necessarily think the fears raised above are valid, I’m just pointing out that they have been raised.

    There is risk with everything involved with technology. Unless we are going to hold lawyers liable for losing briefcases, I don’t see iPhones as a major concern right now, as long as they don’t deliberately leave it lying around providing access to confidential information – essentially the same as the briefcase.

  4. The whole issue has been overblown because too few lawyers are looking at the Rules of Professional Conduct for guidance on their confidentiality obligations. See my full response at http://reidtrautz.typepad.com/reidmyblog/2009/12/debating-the-intersection-of-confidentiality-and-iphone-security.html

  5. @Reid

    I read your response, but unfortunately comments are not permitted.

    It is obvious you like your iPhone and I understand that. What I would suggest is really needed is a technical assessment of the risks of PDAs, the type of information on them (depending on the business) and then reasonable policies crafted and enforced. This should be done with all businesses with all technologies.

    It is unfortunate, but security does not make money and is viewed as a hindrance. In todays web 2.0 world this issue is going to have to be managed and the sooner businesses realize that the better. They of course won’t realize it, until it can potentially cost them dollars and public embarrassment.

    The point I draw from all this is that lawyers have the privilege of dealing with sensitive issues and sometimes very sensitive information as well as their staff. With that privilege comes responsibility and accountability. It is not the same as the iPhone that has emails of a chat between friends. Law enforcement, doctors, security consultants, government officials, military all fall into this category and a breech on their systems should come with a greater price.

    As an example, given the current state of security on PDAs, I would suggest that a Blackberry has more security than an iPhone. An individual who chooses and iPhone over a Blackberry isn’t wrong. However, they are making the choice of convenience over data security today and that should be considered accordingly in an investigation of a breech in my opinion.


  6. Funny how security is driving stupidity. One firm I know of actually did a risk assessment and came to the conclusion that there was more risk to the organization that a user will die in a car wreck trying to access their phone than actually ‘prevent’ a hacking attack where the attacker is good enough to overcome the existing controls