Protection against Business and Legal Risks from the iPhone 5s Security Vulnerabilities

The iPhone 5s debuted with a list of new features designed to enhance its users’ experience.[1] Among the list is Touch ID, a form of biometric security that allows users to lock and unlock their iPhone with their fingerprint.[2] It was not long before a crowd-funded competition was initiated with $16,000 in cash and prizes offered to the first person to crack Touch ID.[3] A few days later, a video was released that demonstrated how to reproduce a user’s fingerprint to bypass Touch ID.[4]

Another vulnerability was also discovered shortly after the release of iOS 7 that allowed users to bypass the lock-screen passcode, similar to a previously identified vulnerability that affected iOS 6 devices.[5] Apple has since patched the passcode flaws[6], but the point is that it is not uncommon for security vulnerabilities on mobile devices to be discovered. Companies should be aware that unauthorized access to employees’ mobile devices is a real threat that can result in the theft of trade secrets and other confidential information. Companies can fortunately implement policies and procedures to help prevent data theft and system intrusions.

For devices using Apple’s Touch ID, such as the iPhone 5s, a traditional passcode is required for access if the device has been locked for more than 48 hours.[7] However, a phone could obviously become lost or stolen at any moment within that 48-hour timeframe. Consequently, employees with access to a company’s sensitive information should be prohibited from enabling Touch ID on their iPhone 5s.

Moreover, employees should be required to notify their employers if their mobile device is lost or stolen. An agreement should be in place such that the employee gives consent to the employer to remotely wipe the data on a compromised device. Companies should further require that employees’ mobile devices be current with the latest software patches concerning security.

It is important to note that these policies and procedures should be in writing in order to more effectively protect companies against lawsuits alleging inadequate controls for confidential information, and also strengthen compliance with applicable privacy laws. For more recommendations on how companies can protect sensitive information through employment agreements, refer to Zach Allie’s WinTech post, Bring-Your-Own-Device: Are Employers Opening the Door to Security and Legal Risks?.

[1] http://www.apple.com/iphone-5s/features/

[2] http://techcrunch.com/2013/09/10/apples-touch-id-a-500ppi-fingerprint-sensor-built-into-iphone-5s-home-button/

[3] http://www.cnn.com/2013/09/22/tech/mobile/iphone-5s-hack-bounty/index.html

[4] http://istouchidhackedyet.com/; http://www.cnn.com/2013/09/23/tech/mobile/iphone-5s-hack/index.html

[5] http://www.scmagazine.com/familiar-passcode-flaw-discovered-in-ios-7/article/312605/

[6] http://support.apple.com/kb/HT5934; http://support.apple.com/kb/HT5957

[7] http://support.apple.com/kb/HT5883