The iPhones Are Coming! The iPhones Are Coming!

By Larry Seltzer  |  Posted 2008-07-13 Print this article Print

You can't hold back the floodgates forever, but don't let anyone bully you into letting untested devices and software onto your network.

You have to give it to Apple. At least they're trying, in their inexperienced way, to make the iPhone acceptable to enterprises. They even have a web page about it.

The really bare-bones necessities may be there already: A mail client that can talk to Exchange Server, VPN support, some Oracle support. Perhaps most importantly, the addition of Microsoft ActiveSync provides the ability to remotely wipe the device using the Exchange Management Console. This is supposed to wipe all data on the device: "Doing so quickly removes all data and configuration information from the device, then the device is securely erased and restored to original, factory settings." This can be handy for the not-uncommon lost device. [Note: This column originally, mistakenly said that there was no remote wipe capability. Sorry.]

And as silly as it seems for an Apple device or, for that matter, for a mobile device, I want to see some sort of client-level security program. Yes, anti-malware, IPS, all of that. Now that corporate e-mail is a serious possibility for the iPhone I see trouble on the way.

We often see new, obscure vulnerabilities exposed when Microsoft reveals that "limited, targeted attacks" have been committed with it, and that an exploit is not generally in the wild. The iPhone is a great target for such attacks. The iPhone and MacOS on which the software is based have a rich recent history of vulnerabilities, and Apple usually takes their good time fixing them. Security against it will likely to come only at the level of the Exchange Server anti-malware. A targeted attack against, for example, the iPhone Mail program, would therefore have high value. Rest assured that lots of qualified people are working on such attacks now.

The iPhone is uniquely vulnerable to many kinds of attacks to which other mobile devices aren't. First, Blackberrys aren't treated as general-purpose computing devices the way that iPhones are. Second, it's not just the mail, it's the browser. For now it seems iPhone users are stuck with Safari, which also has a rich recent history of vulnerabilities. A targeted attack would work very well that way, by e-mailing the victim a URL rather than a binary of some kind. They click the link, completely outside the protection of the corporate network, and a Safari vulnerability gets them.

How long do these iPhone vulnerabilities sit around unpatched? The bunch patched just a few days ago were generally about 3 months old. Several of them were drive-by installer attacks on Safari ("Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution").

Once an attacker has exploited a vulnerability it shouldn't be too much trouble for them to install other programs. The iPhone Dev Team has already "jailbroke" the iPhone 2.0 OS, so that barrier doesn't seem too formidable.

There is a middle ground between banning iPhones and letting them in without adult supervision. In a story we ran about a month ago some of you claimed that you don't allow much network access even for more secured devices. If you just allow e-mail support and not allow any protocols you are still somewhat exposed, as are any documents on users' phones, but it could be worse.

But I'm a hardcore fascist when it comes to equipment on the network. No company that's serious about security lets new devices on the network without proper vetting by IT, no matter what some Executive VP wants. A lot of companies have been bending under the pressure for the iPod for the last few months, and it may get worse now that Exchange support is there. The iPhone may get to the point of being secure enough, but for now there's still the potential for real trouble.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel