You can't hold back the floodgates forever, but don't let anyone bully you into letting untested devices and software onto your network.You have to give it to Apple. At least they're trying, in their inexperienced
way, to make the iPhone acceptable to enterprises. They even have a web page about it.
The really bare-bones necessities may be there already: A mail client that
can talk to Exchange Server, VPN support, some
Oracle support. Perhaps most importantly, the addition of Microsoft ActiveSync provides the ability to remotely wipe the device using the Exchange Management Console. This is supposed to wipe all data on the device: "Doing so quickly removes all data and configuration information from the device, then the device is securely erased and restored to original, factory settings." This can be handy for the not-uncommon lost device. [Note: This column originally, mistakenly said that there was no remote wipe capability. Sorry.]
And as silly as it seems for an Apple device or, for that matter, for a
mobile device, I want to see some sort of client-level security program. Yes,
anti-malware, IPS, all of that. Now that corporate e-mail is a serious
possibility for the iPhone I see trouble on the way.
We often see new, obscure vulnerabilities exposed when Microsoft reveals that
"limited, targeted attacks" have been committed with it, and that an exploit is
not generally in the wild. The iPhone is a great target for such attacks. The
iPhone and MacOS on which the software is based have a rich recent history of
vulnerabilities, and Apple usually takes their good time fixing them. Security
against it will likely to come only at the level of the Exchange Server
anti-malware. A targeted attack against, for example, the iPhone Mail program,
would therefore have high value. Rest assured that lots of qualified people are
working on such attacks now.
The iPhone is uniquely vulnerable to many kinds of attacks to which other
mobile devices aren't. First, Blackberrys aren't treated as general-purpose
computing devices the way that iPhones are. Second, it's not just the mail, it's
the browser. For now it seems iPhone users are stuck with Safari, which also has
a rich recent history of vulnerabilities. A targeted attack would work very well
that way, by e-mailing the victim a URL rather than a binary of some kind. They
click the link, completely outside the protection of the corporate network, and
a Safari vulnerability gets them.
How long do these iPhone vulnerabilities sit around unpatched? The bunch patched just a few days ago
were generally about 3 months old. Several of them were drive-by installer
attacks on Safari ("Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution").
Once an attacker has exploited a vulnerability it shouldn't be too much
trouble for them to install other programs. The iPhone Dev Team
has already "jailbroke" the iPhone 2.0 OS, so that barrier doesn't seem too
formidable.
There is a middle ground between banning iPhones and letting them in without
adult supervision. In a
story we ran about a month ago some of you claimed that you don't allow much
network access even for more secured devices. If you just allow e-mail support
and not allow any protocols you are still somewhat exposed, as are any documents
on users' phones, but it could be worse.
But I'm a hardcore fascist when it comes to equipment on the network. No
company that's serious about security lets new devices on the network without
proper vetting by IT, no matter what some Executive VP wants. A lot of companies
have been bending under the pressure for the iPod for the last few months, and
it may get worse now that Exchange support is there. The iPhone may get to the
point of being secure enough, but for now there's still the potential for real
trouble.
Security Center Editor Larry Seltzer has worked
in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com
Security Center Editor Larry Seltzer's blog Cheap Hack
