IBM Makes Siri Wait Outside
May 23, 2012 12:05 PM PT
Enterprises are grappling with the growing trend of employees bringing their own devices for use at work and the security and other issues that gives rise to. However, IBM has implemented a simple solution: Prevent the use of certain apps on employees' mobile devices in the workplace.
The company disables Siri, the voice-activated personal assistant, on employees' iPhones, as well as Apple's iCloud, and bans public file transfer services such as Dropbox, IBM CIO Jeanette Horan reportedly told the MIT Technology Review.
"Companies have had limitations on electronic devices for years," Jim McGregor, president of Tirias Research, told MacNewsWorld. "I used to deal with defense contractors all the time, and you can't take your mobile phone or USB stick or laptop into a Raytheon or Lockheed facility, for example."
The job of IT security, by its very nature, requires a certain degree of awareness that could be described as paranoia in the average person. Voice input into Siri is sent to and processed by Apple's data center in North Carolina, but it's not clear whether the data is then stored, or who gets to see it, and that's enough to give any IT security person the willies.
"Siri wasn't designed by people who understand basic mobile security," Randy Abrams, an independent security consultant, told MacNewsWorld. "This is why iPhone users found that when they locked their iPhones, their friends could still use voice commands to get Siri to let them perform actions that a device with minimal security capabilities would never allow. When you consider this basic security failing is by design, Siri is probably vulnerable to many avenues of attack."
The most common problems with Siri would likely be people speaking their password, "which is probably the same one they use for their email, network access and almost everything else," Abrams suggested.
Other threats are that employees could use Siri to record conversations that shouldn't be recorded, or that the app itself is a danger, Tirias Research's McGregor said. "It could be that the app could be enabled in a way that IBM doesn't desire."
As for the likelihood of security breaches due to storage of sensitive data outside an enterprise's network, "it's possible that Siri stores sensitive information "but Apple is not historically known to be cooperative in sharing what information they are collecting and storing," Abrams said.
What Is Siri?
Siri is promoted as an intelligent personal assistant, meaning it's more than just an interactive voice recognition and response system.
Apple's FAQ on Siri states that the feature uses information from users' contacts, music libraries, calendars and reminders to better understand what the users say. That implies the use of databases and, since voice requires large amounts of storage, this means the data is stored on Apple's back-end servers.
For a good explanation on how Siri works, see here.
How Siri Can Be Shut Down
There are various ways to shut down Siri and other applications a corporation doesn't want employees to have on their mobile devices.
One way is to have two environments, one for business and one for personal use, like RIM and VMware offer, Tirias's McGregor said. Or, enterprises can set up a patch that restricts what an employee's mobile device can do or access. The patch can be downloaded to mobile devices the first time they're connected to the corporate network.
Or corporations can use features provided by Apple to control Siri. "The iPhone has a setting to disable Siri," Abrams said. "Additionally, Apple has created a method to block older iPhones from using the Siri servers, which implies the ability to block Siri by blacklisting or by simulating an unauthorized device."
It's possible to selectively block Siri or other apps only when they're used during working hours, but it's difficult to know when the employee is working, as some take work home, Abrams said. Further, implementing the controls cost-effectively is a challenge. "The safest thing is to block Siri all the time."
IBM did not respond to our request to comment.