NetworkWorld: iPods are ‘security threat’


iPod doomFirst a proof-of-concept virus for the iPod is created (of note to the 10 of you who install Linux on your iPod). Then a company called NextSentry (which sells security products related to removable storage devices) calls for a workplace ban. Now Network World’s Cara Garretson says “it would seem that iPods pose a particularly high risk to corporations that let employees wander into work with these devices strung to their ears.”

Network World informs its readers that “Those same devices that entertain workers during their commute can be used to copy personal or financial data, intellectual property and other sensitive information from corporate PCs, often without a trace.”

Wow, way to be on top of this aspect of the iPod. Let’s see, when did it gain the functionality to act as an portable hard drive? Oh, right, when it was first released in November 2001. And when did it gain PC compatibility? As recently as July 2002.

“If you see someone walking in the door with an iPod they don’t look like a threat, but to me I see the ability to download reams of files, and it might just look like they’re downloading music,” said Jim Hereford, CEO of NextSentry, which issued the suggested iPod ban.

But Hereford clarified the suggested ban by noting that “We’re not saying companies shouldn’t allow iPods, but they better have endpoint security on their desktops.”

Endpoint security technology blocks information that’s been deemed sensitive from being copied onto removable media, e-mailed or printed. And who sells such technology? Why, it’s available from NextSentry!

So when they said companies should ban iPods from the workplace, they were really just saying ‘Buy our products’ (or else your company will perish).

Thankfully there’s some sanity brought to the discussion.

“Devices such as iPods and other MP3 players are basically storage devices; some can store substantial amounts of data and are innocuous enough that their presence is almost unnoticed in our daily lives,” says Tom Scocca, investigator and global security consultant for a large provider of microprocessor manufacturing technology. “Controls targeted at these devices should be based not on the type of device, but on the risk that companies are willing to accept by allowing any type of external storage device into the environment.”

So “Can an iPod bring down your company?” Certainly a malicious employee with an iPod can do so. Of course, so could a malicious employee with a CD burner, hammer or box of matches.

“We have to rely on our trusted employees,” agrees David Jordan, CISO at Virginia’s Arlington County.

However, Jordan adds that if an employee comes in with malicious intent, “there’s not much we’re able to do about that except prosecute, and we have had people go to jail for breaking the rules.”

Can an iPod bring down your company?



I think publications are focusing on iPods primarily due to recent media news such as the pod slurping issue ( As Brian commented, the media should not just focus on iPods period. USB sticks, CDs, floppies etc pose just as much and the same kind of threat as iPods do. And I believe it’s wrong to promote the ‘banning of portable devices’ as a solutions to this ‘problem’ or a security measure for this threat.That is so counter productive! There are software tools available which can just show you what’s hooked on your network and you can control who has access to what, and who has the rights to read/write to portable devices. Very simple and very effective, without the needs to ban anything really. Have you ever wondered what portable devices are hooked/and have been hooked to the computers on your network? You’d be surprised. One way to find this out is by running this online tool, EndPointScan. It’s very quick and free to use, good to give you an insight on where your and your network stands with this whole portable storage security issue.


Geez. This is just what we need, another crackdown of our freedoms in the workplace.

Don’t get me wrong, I don’t see many companies taking this obvious ‘scaremongering sales pitch’ seriously, but it only takes one knee-jerk reactionary process manager (and we have lots of them here in IBM) to decide that this is a good thing, and we will be banned from even bringing our basic (non-mp3 or flash based) mobile phones into the office.

As for why, Brian, that they chose to focus on the iPod, it’s obvious that it’s because the iPod is the leading market share ‘mp3 player’ and the name ‘ipod’ can be subconsciously applied to ANY music playing or memory capable device. You just watch, we will have to switch back to CD players, and then they’ll probably be banned too.


I’m not sure why they chose to focus on iPods,and not something like usb drives, which are much easier to do malicious things with.

I have heard of companies filing the usb plugs with epoxy to prevent some of these types of things. I have no idea how widespread this is, though.


Let’s not forget flash drives and online storage. While emailing yourself documents could be traceable with a company’s email server or storing files online could show up on the gateway server, flash drives, iPods, and optical media are less traceable. I guess you better buy their products!

I don’t see Apple banning iPods at work, so I feel I am safe!

David Bailie

And while we’re banning iPods et al, lets also equip all companies with the same memory-erasing device they had in Men In Black. Because with the passwords we probably all remember, bringing down the company is just around the corner.

Umm, paranoia anyone?

Comments are closed.