Should Apple secure its iPods?

Debate over responsibility, usefulness of device security grows

Few corporations are likely to ban iPods in the workplace, but whether Apple and other manufacturers of MP3 players shoulder some responsibility to add security to their devices -- and how effective that security would be – is a growing debate.

Apple didn’t return multiple inquiries asking about its stance on iPod security, but plenty of others are talking about what the company should or should not do to prevent its widely popular music player from being used as a data-transfer device for stealing sensitive corporate information. While this unintended use of the iPod is not exclusive to Apple’s device – employees with malicious intent could steal data using any MP3 player, or any removable media for that matter – Apple has sold more than 100 million iPods, making it the obvious choice.

“My initial reaction was that Apple should have as much responsibility as SanDisk has for securing its USB thumb drives,” says Kurt Tappe, Apple certified engineer with JP Morgan Chase, in an e-mail. “But then I remembered that iPods do not come out of their shipping containers with the ability to be used as data drives. The user must explicitly turn that function on in iTunes. To that end, it seems to me that Apple has already gone one step beyond other drive manufacturers.”

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Few corporations are likely to ban iPods in the workplace, but whether Apple and other manufacturers of MP3 players shoulder some responsibility to add security to their devices -- and how effective that security would be – is a growing debate.

Apple didn’t return multiple inquiries asking about its stance on iPod security, but plenty of others are talking about what the company should or should not do to prevent its widely popular music player from being used as a data-transfer device for stealing sensitive corporate information. While this unintended use of the iPod is not exclusive to Apple’s device – employees with malicious intent could steal data using any MP3 player, or any removable media for that matter – Apple has sold more than 100 million iPods, making it the obvious choice.

“My initial reaction was that Apple should have as much responsibility as SanDisk has for securing its USB thumb drives,” says Kurt Tappe, Apple certified engineer with JP Morgan Chase, in an e-mail. “But then I remembered that iPods do not come out of their shipping containers with the ability to be used as data drives. The user must explicitly turn that function on in iTunes. To that end, it seems to me that Apple has already gone one step beyond other drive manufacturers.”

An extensive search of the iPod and iTunes sections of Apple’s Web site turned up no information about setting the devices for data transfer, but also did not warn against the potential for misuse when iPods are set as such. However, in Apple's support section, there is an entry explaining how to enable an iPod as a storage device.

Others say Apple may not be responsible for securing its device beyond the basic lock function that it comes with, but offering such features couldn’t hurt. This could become particularly important as corporate IT departments begin to consider purchasing other Apple products, such as Mac desktops and servers, in helping Apple build confidence among security-conscious enterprises.

“I wouldn’t put this responsibility on [Apple] as mandatory; I would prefer to see Apple offer it as an add-on feature and let the market dictate its usefulness,” wrote Louis Tinto, risk manager and director of technology risk assessment with a large financial-services company, in an e-mail. He stresses that educating employees about corporate policies regarding use of such devices and having workers regularly attest to their understanding of such policies is the best first step to take in protecting against data theft via iPods.

Another important consideration for Apple is that some enterprises are beginning to use iPods as corporate devices and will want to integrate them into their security plans, so offering such protection could become a make-or-break issue for selling into these accounts.

According to a press release issued by NextSentry, which makes desktop software that prevents unauthorized copying of data to removable media and which issued the warning of iPods in the workplace, these devices have been purchased by the thousands by manufacturing companies, financial-services firms and healthcare suppliers as a means to train, educate and inform their employees.