Imagine accessing your iPod Touch or iPhone to check your email and finding not dozens, not hundreds, but thousands of email folders—none of them yours.

Several questions race through your mind: Whose are they? How did they get here? Why are there so many? Why are they all empty? Why can’t I get rid of them?

Here’s what’s going on. If you use MAPI to access a Microsoft Exchange server over WiFi, then your iPod Touch or iPhone can access any available public Exchange folders within range, with or without your permission. (Not to mention anyone else’s permission.) Simply walk within range and in moments you will be connected. Once connected, your device will download more than just your Exchange email. It will download every public Exchange folder it can see on the network. The folders (but not the contents) will be appended to your device’s existing public folder tree. Should you select a folder, the contents will be downloaded as well.

If you are within range of as many WiFi networks as I am every day, you will soon find yourself in possession of thousands of public folders that do not belong to you. Worse, you will have no way—no simple way, anyway—of removing them from your iPod or iPhone.

For digital thieves, the iPod and iPhone are portable gold mines. Unsecured wireless networks provide hack-free access to public Exchange folders. Employees who use public Exchange folders to share information within their companies inadvertently expose themselves and their companies to privacy violations or worse.

And this brings us to something business people tend to forget: Security is 20% technology and 80% policy. Let me put it another way: Security is 20% having the right stuff and 80% doing the right thing. The best security technology in the world cannot compensate for poor policy and enforcement. Clearly, companies should not use public Exchange folders to share information on unsecured WiFi networks. Better yet, they should simply secure their wireless networks in a world where ordinary citizens have transparent, effortless wireless network access.

If you own an iPod Touch or iPhone and if you access your company’s Exchange server using MAPI, be aware that you may already have scooped up a pile of public Exchange folders and data that do not belong to you. I figure that during an average 30-minute drive from my office to any destination, I come within range of at least 200 unsecure WiFi networks. In perhaps 10% of those cases, I am within range long enough for my iPod to pick up unwanted email. My policy now? I shut the iPod off while I’m driving.

And my technology? I have not yet “unlocked” my iPod to determine if accessing the underlying OS would enable me to delete the folders. Unlocking the device raises a new set of issues related to future upgrades and damage due to modifications not covered by warranty. I sure hope Apple closes this security loophole in its official release of 2.0 in June.

This entry was posted on Saturday, March 15th, 2008 at 12:48 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.