Nicolas Asfouri / AFP - Getty Images

A woman checks her smartphone in this file image.

If you use your personal smartphone or tablet to read work email, your company may have to seize the device some day, and you may not get it back for months.

Employees armed with a battery of smartphones and other gadgets they own are casually connecting to work email and other employer servers. It's a less-than-ideal security arrangement that technology pros call BYOD — bring your own device.

Now, lawyers are warning there's an unforeseen consequence of BYOD. If a company is involved in litigation — civil or criminal — personal cellphones that were used for work email or other company activity are liable to be confiscated and examined for evidence during discovery or investigation.

It's a possibility even technology pros rarely consider, said Michael R. Overly, a technology law expert in Los Angeles.

"You would be very surprised to hear that even extremely sophisticated business people seem shocked when they learn their personal phone, including email, GPS data, photos ... may be subject to review in litigation involving their employer," Overly said.

BYOD is a worldwide reality and a dramatic shift in the way companies outfit their employees with work tools. Cisco Systems Inc. released a report earlier this year saying 42 percent of all "knowledge workers" own the smartphones they use for work, and two-thirds of companies expect the employee-owned device phenomenon to increase.

Hidden cost
The convenience is hard to ignore, as is the personal touch — workers love picking their own phones — but of course, cost savings is the real driving force. Increasingly, companies are requiring workers to supply their own gadgets at their own cost, the way a restaurant might require waiters to purchase their own uniforms.

Even if companies reimburse those employees, there can be a big hidden cost for workers — the possibility of losing their phone for days or months while their company combs through it for data relevant to legal action.

“People’s lives revolve around their phone, and they are going to become more and more of a target in litigation,” Overly said. “Employees really do need to understand that .”

Giri Sreenivas, a mobile phone security expert at Boston-area firm Rapid7, warned discovery requirements can extend far beyond email stored on smartphones.

"Text messages and cellphone records might be subject to discovery, too, even if you never connected to company email," he said.  "If lawyers believe the device was used for work purposes, it can be (taken).”

Race to keep up
How could firms gain the right to rummage through the most personal items on worker’s phones — pictures, texts, social media accounts?  In many cases, it’s not a right, it’s a duty, says Overly. When a company is sued, and required to produce documents as part of a discovery process, it must make a good-faith effort to retrieve data — wherever it may be. That includes employee-owned gadgets. 

In fact, Overly says he was part of a case recently where a judge sanctioned a company for a discovery violation because it failed to search BYOD devices during discovery. He declined to name the case.

Companies are racing to keep up with the trend — trying to set policies, inform workers of their rights, and superimpose BYOD rules over arrangements that organically evolved within their workplaces. Increasingly, companies are requiring workers to sign agreements that alert them to the potential of personal gadget seizure, Overly said.

Christopher Dahl runs a Seattle-based firm that specializes in digital document retrieval for lawyers called Lighthouse eDiscovery. While he says industry discussion is dominated by talk of BYOD discovery, he said gadget seizure has not become common — yet.

"We see mobile devices infrequently. We only had one come in last month," Dahl said. "It's typically pretty rare where the company can't get the same information from another location. Companies will have to disclose that the information is on that second location (the smartphone) but typically don't have to dig into that second place."  

Red Tape wrestling tips
Workers wary of having their personal phone nabbed can carry two phones – one personal and one for work – but even that’s not fool-proof. An occasional connection from the personal phone to work email can make the phone subject to discovery. Going this route requires diligent work and personal separation.

"The No. 1 thing you can do to ensure your device is not subject to seizure is to remove any sort of company account ... and then inform the company it's been removed," said Sreenivas.

Dahl warned about accidental blending of personal and work data through a seemingly innocent USB charge connection that leads to accidental synching of data. 

There may be a technology solution to this problem in the future. The newest Blackberry phone claims to create a work data-personal data divide, which has the potential to limit the searches that might be conducted by company lawyers

Follow Bob Sullivan on Facebook or Twitter.

Devastating cellphone hacks that hijack your most personal gadget and rob you of privacy and money have long been forecast. But even as smartphone users in Asia are beginning to suffer exploding bills and emptied bank accounts at the hands of hackers, U.S. users largely remain safe and blissfully unaware of the gathering threat.

Not for long. 

Criminals have been probing the systems that protect U.S. smartphone users for years, searching for the right combination of programming tricks and social engineering that would allow them to sneak onto users' phones. Recently, one hacker group hit the jackpot.

They took a year-old mobile virus named NotCompatible, which allows hackers to take complete control of a phone, and posted the malicious code on websites. Then they sent out enticing spam emails with links to the booby-trapped sites. The emails were all the more tempting because they appeared to come from friends or others on the recipients’ contact list.  Victims who clicked on the link from their phones and downloaded the file surrendered control of their Android phones to the criminals. Security firm Lookout says 10,000 customers per day are still being tricked to click on the bogus link and landing on the booby-trapped pages, and virtually all of them are in the U.S.

Tim Strazzere, Lookout’s lead research and response engineer, said the sudden "staggering increase" in detection of the of the NotCompatible, which initially appeared one year ago, shows that the marriage of spam and mobile malware might be a recipe for real trouble.

"This Android malware is unique," he said. "It's exactly the same scheme and end game as before, but it's just being circulated through different means. And it's working."

U.S. smartphone users have been spared much grief from mobile malware so far for a variety of reasons. Chief among them: Most users get their apps from a centralized and safe source. Apple keeps tight controls on its App Store, so malware writers are largely ignoring that platform. And while Google's Play Store for Android is not as tightly controlled, criminals haven't had much luck sneaking infected software onto that platform, either.  That leaves hackers with time-consuming, clumsy methods, such as tricking users to visit a rogue website and electing to install an app.

Android attackers in other parts of the world have an easier time. In China, for example, it's hard to access Google's Play store, so consumers often get their apps from websites. That means rogue apps on random websites raise less suspicion.

But Strazzere warns that the criminals behind NotCompatible have found a way to make U.S. users almost as vulnerable as those in Asia – a direct email invitation from a friend to install what turns out to be a bogus app.

Those who might dismiss this scenario should beware: Last month, when a report by Mandiant Corp. alleged that hundreds of U.S. companies had been hacked by an arm of the Chinese military, the initial method of attack was almost the same -- a "spear-phishing" email that appears to come from a co-worker or friend, sent to entice the recipient into clicking on a virus-laden link.

Smartphone users might fear that a criminal with access to their devices might destroy all their data, "brick" the phone or prank call all their contacts. But the real nightmare from a hacked phone is much more subtle, and can be much more expensive, than having to replace a phone.

Vikram Thakur, a researcher at Symantec Corp., studied one mobile phone hacker who turned compromised devices into an estimated $1 million annually.

“We found a mobile phone botnet, which had … maybe 200,000 cellphones which were compromised and in control of just this one person," he said. "(He) was able to send text messages, make these phones view videos, which were in turn giving him money; and he was doing so about 25,000 times a day."

Cellphone hackers don't do anything to call attention to themselves. Instead, their programs are designed to run in complete silence, in the background.  And they cover their tracks. There's no log of calls placed to dicey overseas numbers, no evidence of text messages sent that can run up a monthly bill.

“Your phone bill might have extra data usage toward the end of the month,” Strazzere said.  "That might be the only way you'd know."

Hackers around the world have clearly trained their attention on the fertile ground of phone hacking. Kaspersky Labs, another security firm, says there has been "explosive growth," and offers numbers to back that up. In January 2011, it counted only eight new malicious mobile malware programs. At the end of 2012, it counted 6,300 such programs monthly.

Nearly all of that activity has until now targeted overseas users, sometimes with devastating results. A program aptly named "BillShocker" by researchers infected 620,000 users earlier this year, mostly in China, and ran up hefty bills through premium text message services.

Mobile malware writers are also developing hybrid threats designed to counterattack online banking security systems.  In one sophisticated attack, criminals hacked both a victim's computer and cellphone, then lurked until an online banking transaction was initiated on the PC. When the bank sent a so-called "out of band" text message as a security confirmation, the criminals intercepted them and approved the transactions. A malicious program named Eurograbber is blamed for stealing $47 million from 30,000 bank accounts this way, according to a report by security firm F-Secure.

Those victims were in Europe, but now there are other indications that mobile hackers are circling the waters, aggressively looking for more ways into the U.S. market.  

Computer security expert Brian Krebs reported earlier this month on his blog that criminals are selling authorized Google Play developer accounts on underground bulletin boards.  A developer account would theoretically give a criminal the ability to post rogue software onto the Google Play store.

NotCompatible is a little less ambitious. Its main goal is to control a smartphone and turn it into a "proxy" device for overseas criminals, so they could pretend they were ordering expensive merchandise from within the U.S.  Because many online sellers use geographic location to filter out fraud, and many trust cellphone location information, a hacked phone can be a perfect tool for foiling fraud-fighting software.

"Companies block transactions when someone in Romania is trying to buy concert tickets in the U.S., for example," said Strazzere.  "NotCompatible allows them to hide where they are coming from ... gives them a little more mobility based on where they want to come from. With a hacked cell phone, they will look like they are where the endpoint is."

Strazzere sees the blended threat – part virus, part spam – as ushering a new style of cellphone attacks, just as such blended threats gave hackers the upper hand in the personal computer world during the last decade.

“This shows the progression of malware authors and what they are doing to experiment,” he said.  It also shows impressive coordination in attacks. “It’s still a new space for them. But they are figuring things out.”

Follow Bob Sullivan on Facebook or Twitter

More from Red Tape Chronicles:

• Celebrity hackers stole data from AnnualCreditReport.com, Equifax says
• Google pays $7 million to settle 'Wi-Spy' case filed by states
• Why consumer agency must go, and why it should be saved

Twitter.com

Twitter.com

UPDATED, Aug. 6, 12:18 p.m. ET --  

The Reuters news service suffered a second successful hacker attack this weekend, just 48 hours after a computer intruder was able to post fake news stories on its web site.  In Sunday's attack, a small Reuters Twitter feed -- @ReutersTech , with 17,000 followers -- was briefly controlled by hackers.

"Earlier today @ReutersTech was hacked and changed to @ReutersME," Reuters announced on its Twitter feed Sunday. "The account has been suspended and is currently under investigation."

An archive of posts made to the @ReutersMe account, viewable Monday on Topsy.com, show 22 rapid-fire Tweets were published on Sunday; some clearly contained pro-Syrian government messages, such as: "FSA commander Riyad Al Asaad states a tactical withdrawal from Aleppo imminent."

Others didn't discuss the Syrian conflict, such as this: "Obama signs executive order banning any further investigation of 9/11. "

The Twitter hack comes after Reuters said Friday that its blog platform was hacked and that a fake news story regarding the conflict in Syria had been posted.

A spokesperson for Reuters confirmed the attack to NBC News.

"A false blog posting, purporting to carry an interview with the head of the Free Syrian Army Riad al-Asaad ... was illegally posted on a Reuters journalist's blog page," said a post on the Reuters Twitter feed, which is followed by nearly 2 million people. "Reuters did not carry out such an interview and the posting has been deleted."

It wasn't clear if any Reuters subscribers picked up the story and ran it in their publications; Reuters refused to answer additional questions about the incident. But the fake post was on the site for roughly 6 hours, according to the time stamp on a Reuters web page where one of the posts was initially published.  

Initial word of the hack came via the Reuters Twitter feed just after 1 p.m. ET on Friday.

“Reuters.com was a target of a hack on Friday. Our blogging platform was compromised," the Twitter feed said. "…And fabricated blog posts were falsely attributed to several Reuters journalists. We are working to address the problem."

News services have long been an attractive target for hackers looking to get attention, dating back the early days of the Internet, when a denial of service attack made many major news sites unavailable for several days; other attacks have rendered sites unavailable for brief periods as a form protest. But attention-getting hacks have always been little more than pranks. The real danger of a news site attack comes from a quiet hack that potentially  spreads falsehoods under what appears to be the banner of an unbiased news service.

It's been a busy 24 hours for hackers targeting major media with fake news: Computer intruders managed to post a false story on the New York Yankees Facebook page Thursday and on several other teams' pages.

* Follow Bob Sullivan on Facebook.
* Follow Bob Sullivan on Twitter.

Members of the hacking group Anonymous say they've managed to infiltrate an Iranian government mail server and copy more than 10,000 internal emails and a series of images.

"The documents are from Iranian Ministry of Foreign Affairs' mail server which we took control over," said a member of the group who called himself Arash. He said he was the founder of Anonymous' effort to hack Iranian government computers, which began in 2009 after Iran's disputed presidential election and corresponding government efforts to suppress Internet freedom.

The documents, now freely available on Web sites, involve applications by foreigners for visas to enter the country. They are mostly mundane — applicants complaining about red tape, for example — though Arash said some of the disclosed items are potentially newsworthy.

"I saw some that were interesting, like a peace (organization) begging for a visa for its members to join a conference," he said.

The main goal of the ongoing attack, however, is to embarrass the current government, said Arash, who identified himself as an Iranian now living outside the country and requested anonymity.

"We organized this to damage (the) Islamic regime's cyber image near the election's anniversary," he said to msnbc.com in an email. "(The) documents prove that while (the) Islamic regime keeps investing in its cyber army and expensive hardware for filtering and analyzing the Iranian people's traffic, they can’t secure their most important mail servers."

Anonymous is a loosely connected group of hackers who have taken on celebrated causes, notably taking sides in the WikiLeaks controversy earlier this year when it launched denial-of-service attacks against companies like Visa and MasterCard for disrupting donations to Bradley Manning, the accused document leaker at the center of the controversy. 

But Anonymous takes on many causes; it announced stepped-up efforts to attack Iran in February when the government there announced it had created a new cyber police unit.  The announcement video was detailed on msnbc.com.

Follow Bob Sullivan on Facebook by clicking here. 

Comments begin below. Comment anonymously by sending an e-mail to BobSullivan@feedback.msnbc.com