Is The iPhone Insecure?

[InfoSec News <alerts () infosecnews org>]

http://www.forbes.com/security/2007/06/19/iphone-security-risk-tech-security-cx_ag_0619iphonesecurity.html

By Andy Greenberg 
06.19.07

With its science fiction features and high-end price tag, Apple's iPhone 
may be the ultimate executive toy. All the uber-gadget lacks, according 
to some security professionals, is executive-level security. And that, 
they worry, makes the iPhone a hacker's playground.

"It seems Apple is releasing a device with no thought to enterprise 
security," says Andrew Storms, director of operations of the computer 
security firm nCircle. "It's going to be entering enterprise networks 
whether we like it or not, and it's a nightmare for security teams."

Storms, like most everyone else anticipating the iPhone launch, admits 
that his worries are largely limited to speculation; Apple (nasdaq: AAPL
- news - people) did not return calls requesting information about 
security concerns. But given what the company has already said with 
regard to the super-smart phone, he and other security researchers 
predict a litany of shortcomings that may allow hackers to pilfer 
private data stored on or sent from iPhones.

The iPhone is capable of many of the same smart phone applications as 
business devices like Research In Motion's (nasdaq: RIMM - news - people) 
BlackBerries. But unlike BlackBerries, Storms says, iPhones are unlikely 
to have a remote "lock and wipe" function that erases the device's data 
in the event that it's lost.

The phone will use an operating system and a Web browser that have 
already been available in some form for years, so hackers will have a 
head start in finding entry points to exploit even before the phone is 
released. And the iPhone's "closed" operating system makes it impossible 
to install protection software from security companies like McAfee 
(nyse: MFE - news - people) or Symantec (nasdaq: SYMC - news - people).

Paradoxically, that closed system was partly intended to make the iPhone 
more secure, preventing cybercriminals from writing malicious code onto 
the device. But Rob Enderle, a security consultant who heads the Enderle 
Group, thinks Apple's lockdown strategy will backfire.

"Apples not going to make it easy to write on this thing," he says. "But 
making it easy and making it impossible are two different things."

In fact, David Maynor, another security researcher with Errata Security, 
writes in his blog that he's already discovered a bug in the new version 
of Safari browser that will be used on the iPhone. He says that backdoor 
can be exploited to hijack the iPhone with hidden software, just as 
hackers have corralled millions of unwitting PCs with malware that sends 
spam, attacks Web sites or steals bank codes. Given that the Mac OS and 
the version of Safari to be used on the iPhone are already available for 
experimentation, Maynor guesses that he won't be the only one poking at 
the iPhone's weaknesses.

"The more things a device does, the more vectors an attacker can use," 
he says. "With the iPhone, the initial barrier to finding 
vulnerabilities has been overcome because the browser has already been 
out there."

Maynor's criticisms go on: He predicts that data sent from the iPhone, 
like text messages sent from most consumer-oriented cellphones, won't be 
encrypted to the same degree as data sent from business-level devices 
like RIM's Blackberry. RIM also allows businesses to lock or delete data 
remotely from lost devices. Like Andrew Storms, Maynor says he's "95% 
certain" that the iPhone won't share that remote data protection 
feature.

"These abilities just aren't built in to consumer phones, and that's 
what the iPhone was created to be," he says.

But Rob Enderle thinks those vulnerabilities won't stop business 
executives from putting corporate data on their iPhones. "Its very 
trendy and very attractive, an obvious executive gadget," he says. "Weve 
seen executives getting this sort of gadget before and then trying to 
put business e-mail on it. Thats a real security exposure."

According to Scott Weiss, the CEO of e-mail and Web security firm 
Ironport, the risk of exploits targeting iPhones depends on how much 
market share the phones can achieve; Cybercriminals typically point 
their weapons at whatever machines can be found in the greatest volume, 
a tendency that has largely shielded Apple products, particularly its 
Mac line, in the past.

But the iPhone may hold a special allure for ambitious hackers trying to 
gain notoriety. David Maynor, for one, is looking forward to trying out 
his own signature iPhone crack.

"I cant wait for one," he says. "Im going to be in line on June 29, cash 
in hand."


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com