[ISN] Employers loosen rules on camera phones

From: InfoSec News (alerts@private)
Date: Tue May 20 2008 - 01:31:27 PDT


By Matt Hamblen
May 19, 2008 

Cameras are available on just about every kind of wireless handheld 
device, from inexpensive cell phones to high-end smart phones, putting 
pressure on IT managers to reconsider corporate security policies 
banning cameras.

In 2004, when cameras first became widely available for devices, many 
companies that purchase devices for their employees dug in their heels 
and asked their wireless carriers to provide models with no cameras. 

Four years later, however, that hard-line approach appears to be 
softening, at least in the private sector. "Some companies are still 
avoiding [devices with cameras], but that's a minority," said Gartner 
Inc. analyst Ken Dulaney in a recent interview. Dulaney works with many 
Fortune 500 companies on their mobile device purchases and policies.

"Many companies have now relaxed their rules, as most are resigned to 
the notion that virtually all phones include cameras built-in," added 
Jack Gold, an analyst at J.Gold Associates LLC.

At one large U.S. corporation that provides BlackBerry wireless devices 
to 30,000 users, the camera ban was recently lifted for new device 
purchases. "Even the low-end phones are coming out with Bluetooth and 
cameras, so we've ended up adding cameras to the mix of devices 
allowed," said a senior IT manager at the company who asked not to be 
named because of corporate policies. However, the IT manager said that 
when the IT shop can disable the camera via management tools over the 
network, it will do so.

There are network management tools that curtail camera use. Research In 
Motion Ltd., maker of the BlackBerry, makes models that enable the IT 
staff to turn off the camera through the BlackBerry Enterprise Server, 
so an employee can't surreptitiously photograph proprietary information 
or inappropriate material. Similar photo-blocking is available with 
Windows Mobile Exchange synchronization functions, the manager noted.

But the manager said there's no similar way to control photos that are 
taken on some devices and sent over Bluetooth wireless. Because of such 
loopholes, there are questions about how any organization can control 
camera usage. "We want to minimize the potential risk, but there's 
minimal risk anyway, we've decided," the IT manager added.

Some models of the latest cell phones and smart phones are available 
without a camera, to satisfy strict business buyers. Verizon Wireless 
spokeswoman Brenda Raney said some models are sold that don't have a 
camera, including the BlackBerry 8830 smart phone, out of an inventory 
of about 30 models from various manufacturers.

"Some companies don't see the camera as an issue, but some still prefer 
employees not have them in phones," Raney said. Some industries, and 
many government agencies, have tougher standards than others, she noted.

Gold, who advises corporations on wireless use, said he used to tell 
clients to buy phones without cameras to avoid security issues. 
"However, the truth is, most phones today have cameras built in, and if 
you search for a good-feature phone, you will likely not be able to find 
one without the camera," he said. Instead, he urges companies to educate 
their users about the security risks of cell phone cameras and to 
consider turning off the cameras over the network.

The anti-camera policies were designed to prevent employees from taking 
photos of information on computer screens or a company's new internal 
technology and then using the photos to compromise the company. 

But a camera lens can be the size of a pinhole and easily hidden, so it 
can be extremely difficult for a security guard to detect a camera 
carried by a visitor, analysts noted. Even proving that a device has its 
camera turned off would be difficult, since the guard would need to 
carefully read the device's interface to determine whether a camera was 
turned off. Security guards sometimes confiscate phones suspected of 
having cameras, or even resort to putting tape over the lens.

Dulaney said he first wrote about cameras as a security threat in early 
2004, after seeing a flood of camera phones at the Consumer Electronics 
Show. He said then that camera bans were "an overreaction" by business 
users, since there are many ways consumer devices, such as USB flash 
drives, can be used to grab information.

Blanket bans on cameras are "a stupid position," Dulaney said recently. 
"If you are a spy, you won't have a camera that people can see." Four 
years after writing his initial report, Dulaney said having a camera on 
a handheld device can actually be valuable for an employee in some 
situations, such as photographing a crime in an employee parking lot or 
other location.

Many companies deploy cell phones with cameras that are used for 
business purposes. Repairmen use them to take photos of defective parts, 
while real estate agents use them to grab a quick photo of the interior 
of a home for sale, analysts noted.

Dulaney urged companies to set up secure zones where restrictions on 
cameras are tightest because of the greatest risks involved. That might 
mean, for example, that a company would show off its latest product only 
in a secure zone and would search visitors and confiscate cameras at 
that location, he said.

"Usage guidelines are far more effective than outright bans," Dulaney 

At the Los Angeles Community College District, camera phones are not 
banned, although there are plenty of locations where security is 
important, such as the school's finance offices, where student payment 
records are displayed on computer monitors and laptops, said CIO Jorge 

To limit the risk of someone outside the school passing by a terminal 
and seeing and photographing private information, the college district 
has installed "hundreds" of privacy filters on laptop and PC screens, 
which prevent anyone but the user from seeing the information, Mata 
said. The filters range in price from $45 to $200 apiece, he said. "We 
don't want to risk privacy," he said.

As for the more general issue of cameras used to take photos of secure 
information, Mata said common sense by users and general guidelines make 
the most sense instead of a strict ban on phones with embedded cameras. 
"Some things do not come down to a technology solution," he said.

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Tue May 20 2008 - 01:42:59 PDT