Wednesday, 27 August 2008

Mobile Security – iPhones and more

Mobile devices have long been the bane of the lives of those responsible for information security. They're transitory devices, never really attached to any company infrastructure and yet hold vast amounts of corporate data. While some have tried to establish some sort of control over these devices, most people, in my experience, have decided to ignore the problem, hoping that people will implement the security controls that they have built in. It has now been demonstrated that, with the news that the PIN on Apple's iPhone can be bypassed with three button presses (http://forums.macrumors.com/showthread.php?t=551617) , this is hardly a viable way to manage these sorts of devices.

The reason that this is even a problem is the ever increasing functionality on these devices. There was a time (many moons ago) when the only data that could be extracted from a phone was the phonebook and the odd text message. Now, many phones have VPN clients, access to corporate e-mail, the web and a whole host of data. And what is a phone these days, anyway? When does it stop being a phone and actually becomes more akin to a laptop? Take a Blackberry. It works as a mobile phone, yes, but it's primary function is as a lightweight version of a laptop, having access to e-mail and storing sensitive information.

You'd think that those used to dealing with sensitive information day-to-day would be more aware of the risks of losing these devices, but apparently not: http://www.telegraph.co.uk/news/newstopics/politics/labour/2437340/Downing-Street-aide-in-Chinese-honeytrap-sting.html.

So what should we do? As individuals, we need to recognise the value of our devices, over and above that of the hardware itself. Information has value. How many of us store our entire contacts list on our phone? What would we do if that got lost? Is there any information on there that could make me or any of my contacts vulnerable to identity theft?

Think about the following:

  • Always use whatever security features come with the phone, be it a PIN or whatever. It might seem a bit pointless given the above, but Apple will fix this. And there is a work around (which is strongly advised for all Apple iPhone users).
  • Don't store people's birthdays and full addresses in your phone. Someone's date of birth is an important piece of information to an identity thief.
  • Delete data that is sensitive. PINs, credit card numbers, passwords, they shouldn't be there.
  • Back up your data. Make sure that you do it regularly so that if your device does get stolen, it's fairly straightforward to get back to where you were.
  • Delete those old text messages. Or at least back them up, too.

If you do lose your phone, it would be worth contacting those people that you have got extended details for and let them know.

Companies have a number of options. I'll cover these in a later post.

No comments: