http://www.forbes.com/security/2007/06/19/iphone-security-risk-tech-security-cx_ag_0619iphonesecurity.html By Andy Greenberg 06.19.07 With its science fiction features and high-end price tag, Apple's iPhone may be the ultimate executive toy. All the uber-gadget lacks, according to some security professionals, is executive-level security. And that, they worry, makes the iPhone a hacker's playground. "It seems Apple is releasing a device with no thought to enterprise security," says Andrew Storms, director of operations of the computer security firm nCircle. "It's going to be entering enterprise networks whether we like it or not, and it's a nightmare for security teams." Storms, like most everyone else anticipating the iPhone launch, admits that his worries are largely limited to speculation; Apple (nasdaq: AAPL - news - people) did not return calls requesting information about security concerns. But given what the company has already said with regard to the super-smart phone, he and other security researchers predict a litany of shortcomings that may allow hackers to pilfer private data stored on or sent from iPhones. The iPhone is capable of many of the same smart phone applications as business devices like Research In Motion's (nasdaq: RIMM - news - people) BlackBerries. But unlike BlackBerries, Storms says, iPhones are unlikely to have a remote "lock and wipe" function that erases the device's data in the event that it's lost. The phone will use an operating system and a Web browser that have already been available in some form for years, so hackers will have a head start in finding entry points to exploit even before the phone is released. And the iPhone's "closed" operating system makes it impossible to install protection software from security companies like McAfee (nyse: MFE - news - people) or Symantec (nasdaq: SYMC - news - people). Paradoxically, that closed system was partly intended to make the iPhone more secure, preventing cybercriminals from writing malicious code onto the device. But Rob Enderle, a security consultant who heads the Enderle Group, thinks Apple's lockdown strategy will backfire. "Apples not going to make it easy to write on this thing," he says. "But making it easy and making it impossible are two different things." In fact, David Maynor, another security researcher with Errata Security, writes in his blog that he's already discovered a bug in the new version of Safari browser that will be used on the iPhone. He says that backdoor can be exploited to hijack the iPhone with hidden software, just as hackers have corralled millions of unwitting PCs with malware that sends spam, attacks Web sites or steals bank codes. Given that the Mac OS and the version of Safari to be used on the iPhone are already available for experimentation, Maynor guesses that he won't be the only one poking at the iPhone's weaknesses. "The more things a device does, the more vectors an attacker can use," he says. "With the iPhone, the initial barrier to finding vulnerabilities has been overcome because the browser has already been out there." Maynor's criticisms go on: He predicts that data sent from the iPhone, like text messages sent from most consumer-oriented cellphones, won't be encrypted to the same degree as data sent from business-level devices like RIM's Blackberry. RIM also allows businesses to lock or delete data remotely from lost devices. Like Andrew Storms, Maynor says he's "95% certain" that the iPhone won't share that remote data protection feature. "These abilities just aren't built in to consumer phones, and that's what the iPhone was created to be," he says. But Rob Enderle thinks those vulnerabilities won't stop business executives from putting corporate data on their iPhones. "Its very trendy and very attractive, an obvious executive gadget," he says. "Weve seen executives getting this sort of gadget before and then trying to put business e-mail on it. Thats a real security exposure." According to Scott Weiss, the CEO of e-mail and Web security firm Ironport, the risk of exploits targeting iPhones depends on how much market share the phones can achieve; Cybercriminals typically point their weapons at whatever machines can be found in the greatest volume, a tendency that has largely shielded Apple products, particularly its Mac line, in the past. But the iPhone may hold a special allure for ambitious hackers trying to gain notoriety. David Maynor, for one, is looking forward to trying out his own signature iPhone crack. "I cant wait for one," he says. "Im going to be in line on June 29, cash in hand." _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue Jun 19 2007 - 22:28:09 PDT