|
|
|
The iPhones Are Coming! The iPhones Are Coming!
By: Larry Seltzer
2008-07-13
Article Rating:  / 21
There are 5 user comments on this Network Security & Hardware story.
You can't hold back the floodgates forever, but don't let anyone bully you into letting untested devices and software onto your network.You have to give it to Apple. At least they're trying, in their inexperienced
way, to make the iPhone acceptable to enterprises. They even have a web page about it.
The really bare-bones necessities may be there already: A mail client that
can talk to Exchange Server, VPN support, some
Oracle support. Perhaps most importantly, the addition of Microsoft ActiveSync provides the ability to remotely wipe the device using the Exchange Management Console. This is supposed to wipe all data on the device: "Doing so quickly removes all data and configuration information from the device, then the device is securely erased and restored to original, factory settings." This can be handy for the not-uncommon lost device. [Note: This column originally, mistakenly said that there was no remote wipe capability. Sorry.]
And as silly as it seems for an Apple device or, for that matter, for a
mobile device, I want to see some sort of client-level security program. Yes,
anti-malware, IPS, all of that. Now that corporate e-mail is a serious
possibility for the iPhone I see trouble on the way.
We often see new, obscure vulnerabilities exposed when Microsoft reveals that
"limited, targeted attacks" have been committed with it, and that an exploit is
not generally in the wild. The iPhone is a great target for such attacks. The
iPhone and MacOS on which the software is based have a rich recent history of
vulnerabilities, and Apple usually takes their good time fixing them. Security
against it will likely to come only at the level of the Exchange Server
anti-malware. A targeted attack against, for example, the iPhone Mail program,
would therefore have high value. Rest assured that lots of qualified people are
working on such attacks now.
The iPhone is uniquely vulnerable to many kinds of attacks to which other
mobile devices aren't. First, Blackberrys aren't treated as general-purpose
computing devices the way that iPhones are. Second, it's not just the mail, it's
the browser. For now it seems iPhone users are stuck with Safari, which also has
a rich recent history of vulnerabilities. A targeted attack would work very well
that way, by e-mailing the victim a URL rather than a binary of some kind. They
click the link, completely outside the protection of the corporate network, and
a Safari vulnerability gets them.
How long do these iPhone vulnerabilities sit around unpatched? The bunch patched just a few days ago
were generally about 3 months old. Several of them were drive-by installer
attacks on Safari ("Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution").
Once an attacker has exploited a vulnerability it shouldn't be too much
trouble for them to install other programs. The iPhone Dev Team
has already "jailbroke" the iPhone 2.0 OS, so that barrier doesn't seem too
formidable.
There is a middle ground between banning iPhones and letting them in without
adult supervision. In a
story we ran about a month ago some of you claimed that you don't allow much
network access even for more secured devices. If you just allow e-mail support
and not allow any protocols you are still somewhat exposed, as are any documents
on users' phones, but it could be worse.
But I'm a hardcore fascist when it comes to equipment on the network. No
company that's serious about security lets new devices on the network without
proper vetting by IT, no matter what some Executive VP wants. A lot of companies
have been bending under the pressure for the iPod for the last few months, and
it may get worse now that Exchange support is there. The iPhone may get to the
point of being secure enough, but for now there's still the potential for real
trouble.
Security Center Editor Larry Seltzer has worked
in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com
Security Center Editor Larry Seltzer's blog Cheap Hack
| | Reader Comments: The iPhones Are Coming! The iPhones Are Coming! | | >>> Post your comment now!
| | The software context is essentialiPhone (or any other small device) isn't a solution in the current software thinking. Only the informational individual will create an ideal context... Posted At: 07-16-08
By: Gheorghe Matei | | | | | | Weak!Your article is pretty biased. Which mobile phones support integrated IPS? Last I checked, IPS/IDS is handled in the network with routers running... Posted At: 07-15-08
By: agentSmith | | | | | | No, you're rightYou're right, ActiveSynch supports full remote wipe through the Exchange Management Console. I didn't know this, but I found the docs now.
I'll... Posted At: 07-14-08
By: Larry Seltzer | | | | | | What Are You Wiping?Maybe you can wipe out Exchange (can you really erase the cache?) but what about the rest of the device? Posted At: 07-14-08
By: Larry Seltzer | | | | | | You can wipe an iPhone via Exchange<quote>What still doesn't seem to be there, at least yet, is the kind of security management that Blackberrys and some others have, that allow IT to... Posted At: 07-13-08
By: LenH | | | | | | >>> Post your comment now! | | | | | |
|
 |
|
|
�������x}r㶲s\@♵M푦dK�kŶ�K3^3u)��S�IVr�e��oВ/�gq2D
74��Aș3"9)ٝfߧGo-z�I|ݻ@�@e�ZNULrJ�Զn�T7n[#3�P/W�a��W�᳙(,�Q � tjGt0]2h�Դ;k2"gvek/cߨ�Y:`&`1\�lTA!j
�:i�?۴�$�1q@h]
�QQ�MږyH6�Շ�H��*�7�܉x8ѽ/DeO�HQI�M"p8$j�>wn3d�Yg�3
(ƻ�f {iZ�d`
vulYG|ݑ|YCXw:Qt���A3Mu��֟CԿ($fҀ��8�#/�y�y��̧ u"˭�#Uֶg5�^�q3ܙc�g��tZEؘ*�o�z�cn�>Lj�X��=:/�yӝF3l˸;4
PSK}(J��╻o[BUN;ycZ?)eU�e{>̑�GA��n�kp[J�^�Sq>t;'=r:;{'���;Aڼ���o$&�W J�DTRBp$"���Pc@GG$@Bs.oVQ+~ASC T�$0yY>E�4dEU}$vהL-^m^:AF,��SAT4
行Ġ�K`W+�2Zt\4.9�utH}")|vg��5M0\̱8֪V�`CK'^C&JAͼ�94��o�o$�E@;-�u��k+UykA
4�+@_x0N�D5nkcf�I�r(,e��g{j M���H��5Ŧ]`)ehFS{$%/^P%P샖_��2jFՇTwIQ��a#ax̌_��,ʹ��e��c�^IR]E6\a>PY?�vwܬ,�U$*մީ-~4ҢKsQ}j5IsV��ǫ
�#��EHYf7-vI0�ꨦU��,V�𢲯*X8ʍ�??6m!SG�ñA�S&M:gvY0`���;}B�Oi&8!9~��tD�AG66^�zK
tcl���>#ä��p�p|w��͇v93�O�/|�TaR���քZN��=H:}m�`��5$GC-ߟ�L�-�s#09ww��ښ@�<�Q�ݻ�i`y1���y�jS〧!Tgg,z�z��C�
��S��lmVl}``1 �5g�%~J���;r%Fa��A7E�У��$@�!"�-i]N�P@A�r6W?��-��,rr4����|?#!bTLZ���(6ݞ�H:sGn_-KEscMX*QY,�p[/ �Pf%)5{~4�cbB�|#'"�Xr`Y
�\h+|�h)lb
V.hiȨP�s�0�=#WV+%EU} H�&tT̷�P9�=�:3�c�+�UVᏡLXVȃZ�rijXL�lD�1ȁ2n(鿙R&a+\ڨ
N`Ocw
Asm0Hww���Mt��Ng��)نhpcФ0W�2`a���BSB3T�&�x#e\4�6(�V,'`#z)C�ҵ瓩;�Ң{Z^Sv;Xa6OZ-��z+�U}�>cC�LmRM}Bu߲�ӧ㎃WK.hAdX.)�Uq?O~�6��=2eX]2X�rmw٘A�utn\I�ҘN!ȹ���g:,X�f!
c$D�k_(+�
`k�/:OY�ͨ�l+Jc�\�SК.�X6[Po=>>ȦTQ݀*��RN�](Xk±�&>,<<+���h0ԁ 0�~"]����l9��H3}�"T0�|,UT�ˈ`m�S@@k�SU�
Փ.E^~v�V�%Ŵ�谢��Ԙy}R�ː
0gxyd��.>�3IR-���ʪZ��J:�_V�2�+}zMMg�>snA�.μ���+�'�3E�<&�%-p�2HU>X�}@�1Sde`S�yt �d*��䪢#?݀��lϟ�#��Џ]��!.��Ծ1�X�� A�7+(SӞ̥jXX%�RO�.x�zGc�M ���9\P˶�)SL
@(8:y>-.)�(W`
>�N-�2Ǩi
01j-�dpMU*Ղʾ_ڳv+^�t
n�)5#c��#2�pg��rh)hMf5�58};N`է[��
kfh�+,s��Jb+�ͤV(EcZUz|ylFIhMgyU)HW�}ˀ�ey�MxS�3�8W��atx/@V(8У4�H\s�Y@1&�
/��j�>ˣ�"CW5�o�ƗɈBÜO"K�>�AM:w%�* <�WKU05���.`�9z{Gq3ZvLzWOASB�9!^%L�)ɹ%w��B֮�N�Zo40p�2ZΕ�@k,aڝ�NC7E$�9`ܘ��GpXH[}'gЍoe?F8oaS))r�*H+ů �3ˁ;�_g.7&QX�x}GRUO4iģT1C
y
$v=.E�Ћv}c�j&lئOl�[e7M�3*P�7n-�˕2~/ėt;g+~/ZR1^RdF!=�qpqңU8*DYq�|ly\3amF�'���L_=8�0s�)��f@ t+N,�r�uXKR! }&�>C�eQ6õh�~;+^�+,k�Ě_�f·߅!|J'<ևAPC��{ r
P)'$
�v9:̝�c:A��VBL0BG_�XJI�!)$z'e��M�ဏ�QJh��鳁VKu^c��`|xr�)Lz�B,�4�ê~Ebםca�i;Fx.��w�v��6x�}y�:b1��?ݮneټܱj;操�~;j9vЛ��}NF DucL�A�s�@
{cA��O[uvp߁�
?O.yr�orW&Nk� uTA6,qx\�<[<,�Mw[��1C�rYuE��{ Q�+]F�z��t{D�o�Z7ۨ;�.||,=~!GFzzy}: 9oaJgfnהŞ`6�}Jp?w�Jowҽ{ᧅmE��rt�Z*1$�HH�!HNm
d_"2gNIJn':4��L|d<
,fu��x3tT?,�#zi916g�nP;-�z4ݷP�I.=]bwQ[�]xŞvYiIU�9.r\�-"�nǸZZླྀ�|:W�90.�=y$/A�f} lD.EBa"fFs�ME[oO<|n?�?C4��ȥ�<�曜;a!ϑ$�+Ӡ��5�m&Ƕs{$�;gr0� �$T0p�l|n�wcLRx266�y��)1h4Rol9�lf8�W
��֍N��
�7��V�9e��/�QFD5>�>d
G!g6�r<�&"W@ހmj?�.VKxF]>v=�~Q���ƺ38W�S:2�)<,9fhOmbiZ#�4&�"�x>`N�]�A~?-Mkk���]ÝE6��\�ظL�xXF#Ȃ��pP�A`yL(�*9 ���e�Jis�z�� ?�f[,,:,ʠ�dg.���YMh�4qIt��� h?׆�.H���(*aV�j1ԏ։vR�[��k�ܞI�+qJMl=�+dS&R(%KR$]q"qm�/.+q�=�TnA@%~`MbDd܂kӫ1'`y5\�9�ȖI4&3�F�.Yá#|H�C/!�}�h�ƾ���3 GS�ZQZ�JZs2�L�ݡB8A^ψ��[yGXeS�+0L�x.ax
"�vuy�VmR1=2}
-rI-+ٔ�f��L9��w7 ��`; LwOAT�c|I,$i;?�r<_1&Zˌ3}͟W*I�AGc
���tkRυHn/<7ʋ�7_�,ڎaL_�
`�l�Hǒ.ҥ��`�U!�fhf�o\��!v^/m>+�ӫ'#Gw7$7%I�U�PKMW$]KūU�hE&�rRr �Dڷ/`''<[t+LHnoH��]0ص��.(܀͖.ewH�JǮ7Ž(*}#v�:�X�T-
Zq
!5pC-̖�EH��EX[$K+�Bk�znL֟�↴]|%`�~QNבi[\f~xG)�]5C56gU,PNf^u0�-ܣ@RZ/�7l�� ��_ɼ?��I {-*oH��g}?rŻ�x�16cԅ�E�+��$vɰ
BRT
�۾!6_S���Y:��-mly�o#�s�
&z�$27�|
;wItMC',�Z?̴?}#�¦FzvE
NԒt��mgQKէ#Uk���K-�D����^� �v|�."~vm��C��5�G�A,5�h/Ҥ�7[''�O�'�K|"7�z}z_ۋJVgsgj'*8\O�� 7��( �}�W�8h?յ0'N| +@�\}g�Uԗ�;5^w_ȟίa^)k%X'�]-�Hh��%"?�^w=p�Z�j�PWSwrskB�*^M~B,/@ �]+5W30
^ z� B�ךB-c,$;695嵙�=m{{�7i�S`�W۰:ư:�/<}: dUoko��t)
۬R2ײ#1=æiL?^�=W7�!4�S�2Ěla+I�錂qnro*
US c2|�Jf688œh`
�n0>1��,'?���Iv�|wouv1��W 8eQO|Ҟ_F³5G�W-N�&/*`�b¬d=IR��I�q.�)Zbp6�]}�r�EcbcJpaFd'ܨ`��^hkT601�8;7�~��k{ʞVS�,
xѪ߸֊�[N�iΞCG0Ǘ��3XxQB�n�
�:�[]h?1G{US*Z�B-�V
>鲛@=(Ur3�=��;��Փ>-,Qk�u$ζ�y1�K%XS#o='
ӝ�Ra
*d1gM(9(Z<<~Q,mRbdӓPE�,�1����-^`η��f鮦�4^:(]{Lc,M����|�Hu#nAG�Z,d2ss]gDnJ<\kJ^Dw9Kq��-g::~9~ȋ:t�1� ʒ2;t�lfm>ڒV�o4Jz�(Ә#�F̯Rσq�>㑍6X@Db?X¯sY_Ō�\>dF+iFwd�]|�B<1Es��b���T�TbЍ�B1˪M;InP}sY?e=`
�'2u/x{~�B
{=Ll~C�hM,+|U��l|%w[ҹn,%�}��7߄QT11�:{WZ-u6�G���_
�6b^ZGZa!G)}o
M,C+s'
ُp�S8.T"Ba=X@*>Io��H%]�`���Bcw�[,>�>#�Yk]u*4>wg(-$=7�:�}GD�w]09a�4b��aP�� (�]A&.!�Y� Os.cbF!V�Z�؟
ܰJ7�75t$rkqCL9҄]&1j럯.ʾRE�1�h0�*pgj9dU�K$L
2�@�:
x�E
��{W.nrj5�-i`IkB���\A~�cs=�C�z6")(ĴC1C�LD:5,�EwgGw� �kD�E��fC`l��Uoݐ%P`�qT|8s�=J<
|ޗ�`F)_�(x<�(`�E���7�@O��,�,(Ϗ�B5# �v7U�I�u�~�g6&�`�6u}``EP00��a�?�OAn2?Mkt2& ��X�5KޝR.ɖàZEQt#ߛ�螿�3,ȏ]�Klݜ�(�8�&�j9I�t!C�K/H�zNsT�~�`]?�[/�k�`����3�W�VjE)OBӾR:C�KDU8|.OjrY,f/c�/�]iB�R.
��?$-G쌆=xɾxU�u0 }a3Bƺs�1Wo\^}&'+ 'W�~<�_/{�9ju@�oė[u|ܹ|Ҿh]^/z&hT/晾xQ(Xt�%E�ũ6uF\�«XerxgixɎ>+bzh,.6qN|;{�Sf�}Y
Q��J/ib��?fz��Uղ�p
ڽ�xq3�//֔�fyS�M�-G��*�5]V0.8���Snu#V�n�,g(9�(
FFy�;�HMAQ~�O�?'����v~^_nfF9?ϴ/2ʡf�Y�|v9g�g�g�ss�yρ>3�<>G/2 ?eBiF?��P~Q�{1�?��s�w1�'�?��ɐ/@��q _f�sA?]�7c]�7c=^� \_�c�}}OY0O��k(*�Πkh:k�K:ICP%.N�p2KQ� /ޯ�?e�$|�3YY�zvAeX^f\��2sܿw2~62A/;BX\jzr+g^&e5�v+iAư[/�^a/
��^敽Ie�= x�E�W4<< X1rnmŚ/J�Yy8�*
t!=}}S9�|.y��|e8�Nt7�1W }^fҖ1��6?�&v��d{r��Uts�n]�y��s%�|
SG0��75iqq[~|^j{��$�qA��z[hW�J�n�AmWg4j`.�gƇ�{&�dIP4US
!PiWEjn2h�s)ʼnS�
;wEm=S�O_
NW镆�.`
�;#}ö0Fr@*�5VZ*;�"���#G1�Q5YUdJ.'�jeeT�L��3DA�zg�
�l]{J�̾ZCO�3CX)ḃ}̺l5�G P��1�=:�lǬ|*�ۼx�0l{|y�N
ڎy�@���7��J�,�w��;��ŨـD@S?Ɲ}g=ݙ�]Q�='ݹ�fSH�!L�&dOʗ�[l,��)1 {��;sH6Կ�sg���
C�{1L9ꃧrS��Y`�_GBb� #+�i�͙*q8w�dX.*K�Y�)��>[�Z%uL
k!�'
Z2W/Ig�9Ui>��R0;ޞ"1@
Y�)n㠃Ռ]#|F WMPL\,"���7ϒeքzLT zZ���v,0%^z'Oޒ{ƾ(� ;C����Am{';*lٹs˜0L1Д8ڶ2COA=t
O+�e[b ��O"O�C�24A��nخ;O�q^G��3>Ƌ�rx{Ko�NiSsD%:Ɛ�9-���)0�p,\f�tG��6�A�|�eK��x7K�(N~ERb0%�yM&ni�~���0qGĦ2C|R4Mepv��Rc���dLwKENa���
p�#Q�!*m^�x�9��N@xmҕhWɬn�Qt6-�%/#�^DC`Wp�ۂ{�Xi[��e�RpCV)�tO˞}ꋰ��BVx3AE�k,^��rX�ѽ$'Ps�hՆG���0ޏq7�P�l@��xS
bz
��G�m;q�r2M�9���QmS--]?X71Ȟ|uu
۲|ږa=t�k��s�`CΜ6�U �
�=[=�܋;}C\��:1F`7Y=͓
lI12��,W2"k.-wv�ua4,Lb9��"[^QI�(`�жX�3�|,@a)5BO7�Qo��O80�Ux|�-h\l�}[ݘ_e9LgѼ�93E~2㡺_0�U9um�jW6x�ozc|>[zD,5b;tP�9ɓ a�0�+�>�c-�詸�&tصa=dS1�7@j0\|H
d[\K^مt&�v3�k�)/�YH~>��� �r*r*]x�WI"cXM?�#:T+ �s+��Sq�|}>k-]z,sѓN��<|;�X�ix0~
�.3J�bQ'.n?�V��w:W1X�غqK�?|hJaE�yiNђ�u:WV��H]6ŇdEg�
6A|>Ðy6�=x�L�
2kV*w�VVtƦ�I21qz�.yaT(~r�)�U:M\"G�Zi/%!zRM��9Q��2kF�s+&|Ʒ�R2ұeRZ`l/Zw�~R�-��
|
Network Security & Hardware 
