From: InfoSec News (alertsinfosecnews.org)
Date: Wed Jun 20 2007 - 00:11:38 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.forbes.com/security/2007/06/19/iphone-security-risk-tech-security-cx_ag_0619iphonesecurity.html

By Andy Greenberg
06.19.07

With its science fiction features and high-end price tag, Apple's iPhone
may be the ultimate executive toy. All the uber-gadget lacks, according
to some security professionals, is executive-level security. And that,
they worry, makes the iPhone a hacker's playground.

"It seems Apple is releasing a device with no thought to enterprise
security," says Andrew Storms, director of operations of the computer
security firm nCircle. "It's going to be entering enterprise networks
whether we like it or not, and it's a nightmare for security teams."

Storms, like most everyone else anticipating the iPhone launch, admits
that his worries are largely limited to speculation; Apple (nasdaq: AAPL
- news - people) did not return calls requesting information about
security concerns. But given what the company has already said with
regard to the super-smart phone, he and other security researchers
predict a litany of shortcomings that may allow hackers to pilfer
private data stored on or sent from iPhones.

The iPhone is capable of many of the same smart phone applications as
business devices like Research In Motion's (nasdaq: RIMM - news - people)
BlackBerries. But unlike BlackBerries, Storms says, iPhones are unlikely
to have a remote "lock and wipe" function that erases the device's data
in the event that it's lost.

The phone will use an operating system and a Web browser that have
already been available in some form for years, so hackers will have a
head start in finding entry points to exploit even before the phone is
released. And the iPhone's "closed" operating system makes it impossible
to install protection software from security companies like McAfee
(nyse: MFE - news - people) or Symantec (nasdaq: SYMC - news - people).

Paradoxically, that closed system was partly intended to make the iPhone
more secure, preventing cybercriminals from writing malicious code onto
the device. But Rob Enderle, a security consultant who heads the Enderle
Group, thinks Apple's lockdown strategy will backfire.

"Apples not going to make it easy to write on this thing," he says. "But
making it easy and making it impossible are two different things."

In fact, David Maynor, another security researcher with Errata Security,
writes in his blog that he's already discovered a bug in the new version
of Safari browser that will be used on the iPhone. He says that backdoor
can be exploited to hijack the iPhone with hidden software, just as
hackers have corralled millions of unwitting PCs with malware that sends
spam, attacks Web sites or steals bank codes. Given that the Mac OS and
the version of Safari to be used on the iPhone are already available for
experimentation, Maynor guesses that he won't be the only one poking at
the iPhone's weaknesses.

"The more things a device does, the more vectors an attacker can use,"
he says. "With the iPhone, the initial barrier to finding
vulnerabilities has been overcome because the browser has already been
out there."

Maynor's criticisms go on: He predicts that data sent from the iPhone,
like text messages sent from most consumer-oriented cellphones, won't be
encrypted to the same degree as data sent from business-level devices
like RIM's Blackberry. RIM also allows businesses to lock or delete data
remotely from lost devices. Like Andrew Storms, Maynor says he's "95%
certain" that the iPhone won't share that remote data protection
feature.

"These abilities just aren't built in to consumer phones, and that's
what the iPhone was created to be," he says.

But Rob Enderle thinks those vulnerabilities won't stop business
executives from putting corporate data on their iPhones. "Its very
trendy and very attractive, an obvious executive gadget," he says. "Weve
seen executives getting this sort of gadget before and then trying to
put business e-mail on it. Thats a real security exposure."

According to Scott Weiss, the CEO of e-mail and Web security firm
Ironport, the risk of exploits targeting iPhones depends on how much
market share the phones can achieve; Cybercriminals typically point
their weapons at whatever machines can be found in the greatest volume,
a tendency that has largely shielded Apple products, particularly its
Mac line, in the past.

But the iPhone may hold a special allure for ambitious hackers trying to
gain notoriety. David Maynor, for one, is looking forward to trying out
his own signature iPhone crack.

"I cant wait for one," he says. "Im going to be in line on June 29, cash
in hand."

_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]