Ensuring smartphone security

originally published in Lawyers Weekly

Take a good look at your mobile phone.

The thing you use to make calls on the go now does email, chat, web surfing, takes pictures and voice recordings, and lets you use practice management systems.

Legions of software developers and users alike use smartphones as platforms much like they use Microsoft’s Windows or Apple’s MacOS – as a means to an end, not just an end in itself – which makes modern phones harder to “lock down” than their predecessors.

“Losing today’s smartphone is like losing your laptop,” wrote Brett Burney, principal of Burney Consultants LLC, in an article for abanet.org. “There is a gold mine of sensitive and confidential information on your phone that shouldn’t be allowed in the wrong hands.”

Steve Matthews, principal of Stem Legal Web Enterprises, raised a few eyebrows when he predicted in a blog post that “a law firm somewhere will declare smart phones to be a security risk, jamming transmission internally or banning usage from inside the firm.”

“The limb I was a referring to is law firms who overestimate security risks, especially when they fit another motive,” Matthews explained. “In this case, I think the other motive is in-house productivity. Many firms block access to online timewasters, which simply routes employees to personal smartphones not under firm control.”

“So my ‘limb” was that we might see some law firm out there use it as an excuse to regain that internal control.”

Increasing discussion of smartphones, timewasters and all, has mainly been stoked by Apple Inc’s iPhone, which has caught the eye of many a lawyer. Yet Sensei Enterprises, Inc. vice president and forensic technologist John Simek insists the iPhone is riddled with security risks. He authored a paper entitled “Why Lawyers Shouldn’t Use The iPhone: A Security Nightmare” that picked apart the iPhone’s security lacunae.

Among his criticisms:

  • data encrypted on an iPhone can be decrypted by transferring it off the phone using an SSH connection
  • replacing a passcode file on the phone with one that contains a blank passcode removes the unlock code

“The problem is inherent in the iPhone design and must be fixed by Apple,” Simek insists.

While nobody denies Simek’s charges, his article has earned rebuttals that centre largely around: the smartphone genie having long since escaped the bottle; that no technology is 100 per cent secure; and that the security gaps on the iPhone require a not insignificant level of technical expertise (like SSH and passcode files) to exploit.

Matthews also deemphasizes the passcode criticism. “Blackberry owners are equally deficient in not enabling smartphone passwords,” he says.

Dean Leung, Director of Information Technology for Davis LLP, points out another counterargument – the risk inherent in smartphones relative to other things lawyers use to store information.

“I’ve heard of breaches via smartphones,” Leung admits, “but they aren’t as severe as those from stolen notebooks.”

Thieves would most likely wipe iPhones to use themselves or sell them, Leung opines.

That said, Davis has standardized on BlackBerries for several reasons, not the least of which is peace of mind. “BlackBerry devices are the most mature when it comes to security,” Leung says, noting that their maker, Research in Motion (RIM) has been catering successfully to the business market for much longer than the competition. “Other smartphones are several generations behind in terms of security.”

“They’re pervasive in the US government,” Leung adds. “Even President Obama carries a BlackBerry.”

Leung, who also serves on the Mobile, Remote and Wireless Peer Group Steering Committee for the International Legal Technology Association (ILTA), acknowledges other reasons for standardizing on one handheld. These include a more straightforward helpdesk workload and the applications all Davis lawyers have on their ‘Berries, like digital dictation, time and billing and a document management system client.

Carrying all these tools, plus email, contacts, calendar and so forth in a shirt pocket or purse instead of a briefcase or roller bag, makes lawyers loathe to cede their smartphones.

That doesn’t stop them from grumbling about the hassles of keeping mobile devices secure, though. Leung understands this. “It’s inconvenient to wear a seatbelt or to put a PIN number on an ATM card,” he says.

Yet lawyers need to accept their roles as the first line of information security for their firms. “Lawyers have an ethical obligation to educate themselves on how technology works,” Leung says. “It can’t be a black box anymore.”

Smartphone security tips

To protect your smartphone’s information – and safeguard your career – take some simple precautions.

1.    Know where your phone is at all times. While few people fret over losing simple cell phones, smartphones are another matter.

2.    Program a pass code that you must enter each time you want to use the phone. This measure prevents data loss to unscrupulous yet non-technical people who pick up your phone.

3.    Have the device lock itself after a set number of login tries (e.g. 5) to prevent unlimited numbers of guesses at the passcode.

4.    Set the phone to lock itself after a period of inactivity (e.g. 2 minutes).

5.    Don’t save user names or passwords on your phone.

6.    Regularly back up your smartphone by synchronizing it with your computer. Should you lose your phone, you can put your important information on a new phone in a matter of minutes using the backup on your computer.

7.    Keep your Bluetooth and wi-fi connections off if you don’t need them. Aside from preventing attacks, keeping these connections deactivated prolongs battery life.

8.    If you need to use Bluetooth, turn the “discoverable” setting off unless you want to pair the phone with another device (like a headset). Once the devices are paired, turn “discoverable” off again.

9.    If you dispose of the phone, “wipe” it clean (i.e. take all your data off the phone) after you put your information on a new phone. Today’s smartphones let you do this right on the phone itself.

10.If you lose the phone, “wipe” it remotely. Again, this capability is built into modern smartphones.

For a PDF of this article, please click Smartphone_Security.

Leave a Reply