Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


iPhone Is Coming to Your Network, Ready or Not



 By: Brian Prince
2007-07-26
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Analysts said that despite iPhone's security issues, early-adopter employees and status-seeking managers will smuggle the device into enterprises.

iPhone. Whether enterprises are prepared or not, it has arrived.

Less than a month into its release, Apples multimedia, Internet-enabled phone has already received criticism regarding security, highlighted by attempts to unlock the iPhone for networks other than AT&T and a well-publicized exploit crafted by Independent Security Evaluators, Baltimore-based security testers.

It is only natural that IT organizations shiver at the thought of the iPhone endangering their networks, but they will have few options to block its entrance to the enterprise and no recourse but to prepare for it, said Andrew Jaquith, an analyst at Yankee Group.

"Regardless of the bloviating prognostications of analysts, journalists or other talking heads—this one included—early-adopter employees and status-seeking managers will smuggle the iPhone…into enterprises of all sizes," he said.

"Because of the iPhones enterprise suitability—not in spite of it—these employees will place increasing pressure on IT groups to support e-mail, calendaring and intranet application interfaces that work with the iPhone."

Resource Library:
Enterprises can choose to support the iPhone by using open standards for e-mail access, and by configuring their VPN to work with the iPhones VPN client, Jaquith said.

"Not supporting the iPhone is an option too, but frankly in my view the security issues are not that significant," he said. "The iPhone isnt a smart phone—a cut-down PC. Its better to think of it as a grown-up iPod that also allows employees to check e-mail and run Web applications."

Thinking of an iPhone as a grown-up iPod may make some breathe easier. However, Credant Technologies found in a study that even when it comes to iPods, enterprises are not taking the security measures that they should. According to the study, which surveyed 323 business executives from a variety of fields, only 6 percent of all respondents have an encryption tool for data stored on iPods. Forty-six percent said they have a written security policy governing the use of iPods, while 40 percent have done nothing.

Those numbers matter because workers can download data onto their iPods to take outside the office, said Richard Stone, vice president of marketing at Credant, which is now offering file-based encryption technology to address this issue.

"Organizations have got to enforce the security on those devices," he said. "Its actually cheaper to protect data then to lose it."

Gartner analyst Ken Dulaney has been a critic of the iPhones security, and is among the chorus of voices urging enterprises to wait until Apple has improved the iPhones security. Though he agreed that the inability to change native OS files make targeting the iPhone with malware less tempting for hackers, the handsets lack of a SDK (software development kit) means third-party security vendors will not be able to add additional layers of protection, he said.

Click here to read about how researchers cracked the iPhone.

"As you can see from our notes and the many break-ins that have already occurred with this, the only defense comes from Apple," Dulaney said. "Third parties cannot provide enabling technology to more aggressively increase security."

Jaquith said that many of the security worries raised by critics of the iPhone have been exaggerated.

"Lets look at the facts. Internet-capable phones have much smaller attack surfaces than desktops," he said. "Moreover, the iPhone has a much smaller attack surface than the smart phone operating systems it has been often compared with, such as Windows Mobile. The iPhone has no open TCP/IP ports, no removable media, no USB drive functions, no Bluetooth services other than audio, no file system access and no supported native third-party APIs or SDK. If you cant run third-party code on it, you cant run hostile code on it either."

In addition, the iPhones lack of USB drive functions means that it cant be used to smuggle data out of firms, Jaquith said.

"E-mail is encrypted by default," he said. "And because the API for the iPhone is HTML and AJAX, you cant store large quantities of sensitive information on the device—other than cached e-mail. Thats a pretty small attack surface."

Jaquith acknowledged however that there are areas where Apple is going to fall short, such as the Safari exploit discovered by Independent Security Evaluators.

The major security issue for enterprises is determining whether they want to allow the iPhone to access company e-mail and intranet applications, he said. The iPhone is capable of doing both securely, using IMAP-S and SMTL over TLS for mail, and L2TP over IPSec for the VPN, he explained.

However, that too introduces vulnerabilities, wrote Dulaney and fellow Gartner analysts John Girard and John Pescatore in a report earlier this month.

"Because IMAP does not support calendar and contact synchronization, users will be forced to utilize a separate local synchronization to the users PC, a method similar to what the Research In Motion BlackBerry used in v.3.x of its software," the Gartner analysts wrote. "Potential vulnerabilities include VPN tunnel exposure, incompatibility with company mandated-VPN client security tools and unaudited local information exchanges with the users workstation."

The iPhones status as a new product means it deserves more criticism than other products, Dulaney said.

"That said," he added. "It is far less secure than the BlackBerry, doesnt support mainstream security protocols and methods and provides no way for third parties to fix the problems."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: iPhone Is Coming to Your Network, Ready or Not
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}ks۸qf89zڎ-9x*-EBCR'['7n7%?2q*D /4Iș3"9)ٝfߧGo-zIû@@eZNULrJԶnT7n[#3P/W?`W᳙(,Q  tjGt0]2hԴ;k2"gvek/cߨY:`&`1\lTA!j :i?۴$1q@h] YQMږyH6ՇHaD߉ecby 1=b Jw"=ZW%uٹi>[]$#t2 +?9V'ZUlxiuHz>5401\]Z-Kj=OqexY$Y.r$!=Ow| nr"GrI/]o${$̛cM|`I`6L2Xc]NR>o4+@_x0Nukfr@̀kfPXX@@N)61p9kM`3R˼IK2_VJ-ɿE7h+dԌө$ɛ!"ˆGn9x|!XsI((GNlO}ٹ!jYY6'*daeIUiS[dhEށ:IxjeOn*WFnZ`3QM}sQc1x+%YEe_U_q-~~l2B cLt ` 0h vz!>PӚMjqOCGs>2胎6ml8-" ,70}HG:QI$+p|w͇v93O/|TaRքZN=H:}m`5$GC-ߟL-s#09wwښ@<Qݻi`y1yjS〧!Tgg,zzC SlmVl}``1 5g%~J;r%FaA7EУ$@!"-i]NP@Ar6W? -,rr4|?#!bTLZ(6ݞH:sGn_-KEscMX*QY,p[/ Pf%)5{~6 cbB|#'"Xr`Y \h+|h)lb 6؛Ţri*|:IoBk8 0suY,$ Xb HS%\EwTM::yAt]9:h3Vh) ./| `0'cSM ݜX,ǖ1&õB3=P˄rT{cөmQ3O>uK\uu@sށn5 ~"W'6`FUMR|#t|9Ꭴm[4@ޗJ|zS.z8 9r!M5kb$`CfO <yBN{r+kF&+)\=PӔ /+b*q (uzS\Oō$ ЊO}=?ٲJd-Yֽ Vv/KT.MB[+ž 2L%kZԕ1%/E$$BY`}.EGQHd - 'm»:>{j A_ܰ킡K*+G&,m+aA%V-iVXjgܰ% 6 9P8)z?VLl9K[ ,֩wN=hzM>=r=K<e@u\|2tgqu;[ZvOZ Îtѐzgk8FUE8@o"=A`N4S в`ouqA̫%ekP0KJAUcϓasMD@ g2,rmw٘AuN֝9 Q)z9Y8p=rɯ‰5j6|*j0FBċCכ0raؼE_z?6k#Xh[!pYb~&L>Bkd&B [;$!UT7:E)'.E5  d1Gxo+<|CPu~"]l9 H3}"T0|,UT `mR@@kRUԓ.E^~vV%$mtX6H ]j+}zMM{N \sC#X- ƌ0;h'0^˒ǖo|Ya_>^Hk )2)<:,7\U4Uud¹`|Y!.Ծ1X=0`7Y6 9\P˶)SL2jDfh>2 G3Dž5y ֟Ԃ!SFMS؇Qcm/ jRٯTҞ5^ ߜmpH1)dQ@4@]ZRk2̯A)n<1תO׌ kfh +RSJb/ 86a!o-";<^6P$4Ϧy3iq3 P5uRRX\U@V_A ұg /3_wj<]~oLƱ4>JiӈG2cFTQHVmZ\4gmoj&l؞MXo1?[t۽v‷N{Q~Z{q Ou>|otH`뇫Nj>o|hy,/LdzNR(!I1>`d˙]=-bo/fta Nza嵀 _9zsq}!}9\h}ђ:'s5B YAV#=gUxq)qm2XC42u\8$Ø=^p@ښҹj8`B0c-I'Bp E0q0f{6xy~ïUk~ $Cd*xAQ5@+JF4˳TrZfp=4z"BtX 1u}E/b)%Q\(둞k4:\58Q1l6w>#FE'F{~i X x4~K0FGgqkfa~:)}Bg-9˝}HҴ( Í7"tSO+2L:&r֚SHZ@ {ABAJ;DXA2傲q?Ic6vY䶡[&L#pAS2%ɩD=)!*ښI$"8J542 eI? Md0㓘PV hɂt/#'59۴<]>uybRpd;RC}8  e!>ဏQJh 鳁VKu^cA0><8Gs`cw H-Э>5?y{h o&<)dzI'伅+n^S{20)}?I+I㆟isP]GvdL'#!I ɫ:7}ʜ9%++s|<03(o9P2QtI J3`̞xqC7bR#8wB?=|] {~ ]ݣPIݣ)~=Ғ(r]ZD ܎q5Q{qI9.xu?,r`\TzH^8؈ڽ] uUF6m>-3hL Z6;w4oor:߇L?G OFx՛R\AIapvvƘ@dll8Rbho-i_j9٦pr0\k9f>n` \Xl2d]ϝʰ$QZAٗw"y:rDNM3{9uHЙ{ OR0;]H(ϲ4:+BU_O">]N)(J5.ݓ?H6֗aZM>n? y;+,$٭?#ID;M }x h?(1ߜS"J? maz\'|n "Zё2anRAx%v=SGup(Ý,a(J~[,K b [; GPZnŎD\DZl4>K&d(΀[,S\)`.Y=f:N:I=(}IOL&5~.n!YuYA ˤBh2Pq <9Ѿ) \;]1]'BEQT(bN[" */͒gU~B,VbLJ^I?yE ^\Vk{ɔ܂LI$u')U j)#4{t՟rM7 ͛/'6yjS!%`@-C_~tVWRro%ᒢF- ~ĶꡠbRez@ )gl/3Ż) e?B%˗R[so#3VQKŲ,RL?&9fP bN EdلXFS2Y<foTm9p'IU%6y-Ng|C &4ѵM.(HdT)R)zBZIx뢩g@R$^ޞ*¦TYx.< x+s$a#,R7T>H{}K#fTVU3(%G<}'*喝ѰnJVǓ Bb$jc׆MNuZ6[PϛwL>vmZ(TIXDy?m%Z:–v1c4&nu=emyM#Vˏ^z6NuORwjtBu JczeJM7Z( Y"aHX{<ïoQ%i*i3|`swgߩ+:u@*e"HOAj8 ѱ }U6%KXsn9TM,9{ה'̣#OjR1%8HD樐E9xgjI9p(?\D|r43''8G$W~7777{Vcyn0VAumR]*ÜN+ C ӾdTɎ~ p\hSsD-{σڐNcw2+-9ۘ,M$bI$$2&}%^毇ОJ`nH  M}0 <>°+ 5.؜4B$'Gz9A@7$upV|Op%Rbpæ'j¥._8@@8Wb< !y}ŋ=S o>rn^bH { 9nWLxͪA ۱\-Ewm‰)`vIxBob5]o2S}d5`KBבǶ0 h"a[famIs8l5ˠ5d!sJJnnnn[/V_[2 S -Xs f̥3;VTC팱zo;'`R,vuW,4M4%mszI뵶[M'bdٺ9Y6`6Q?H.W#5{wNoh!G Tپ\?C)ۗT>vrk3q:V% 㬱>s 1ݚ!W?n9qX u{T@LÈaK4t?{gRs8GYkpC_ "u6%4pTiq(JPL*y|:ïoS2{T*I↿z} ٜffhfwJJE ,̱9ry>D }KTԷ|a',Q":E$W>Z'}v.E &_)k%%Gn]R@C+H(.WFK2~0um)\&.^&"˷ ]+5W3a`}e2E}P!TjMOk?0Z[CɚLHj~6}A˽=V44 mX[`cX#Ejw>*qdyN[-mV)Kjhk;1=iLAtzl/LD&pj֢_fX<+l%"Q0M %CaqX3疁w S$Xz[ "iKKOuztowwv]gp sZ'|O_ /Ym/?DB:\o? ~Eu t᫉P;8!%9pa #ʵmqDYFWYq.b@eV e9Ls'$&JjidG$F&tyϽcDl갺Xm[a0|_V&gB8AXJrXD Ň>z "K&5@FPxAiLz^z1lsq̩Tl/ZNx/WHkcΩ-ZEWWs.}KBG(zdqK2/ #|Щ>&"r\餷 GTG@^-R(M` X~Ũ}5Oj6j=!у`5?؝_n&,m']қ≠DUt֝UnȓPc<,:dp'NAc,ImHȔ>G2)n-)RjXyw>ITnp=jhܻDؤHdi]P)ϡVPJj\=w(9W=yjUS*ZYQ#L @=(Ur3 Mܰ> Փ>-,Qku$ζy1K%XS#o=' ӝX*AEL> e8e9_>PP*(77v1F@G0eˡǪch鱆y(k (MNXCc{{n/1~߈+kѱ=̜09i҉H Wkm2R)5ܫ?R\mD έz_`9busΩ}?5r1c%'e&f/0̊|%U$x[hhwQf1q8sr;c{±@Ot jg~Rn:,<+sYy?h#jO5P(\Ot1ц]_Ō\>dF+iFwC ]xB<1EsP(#oI c 0rtF7aeOJoIgo+8}xxm@"r? IcxQL,nujhu뵮aC3 /uI9a4xFd}]Q|??'~e MHB}s ޫ7XLh0v>0"(S[]ă0>]w7aP/ @&Vip͒wy 6t0VQ=1e& f> sXDeb@Ԕ0(VIB qXR~DB(s &8Hgutl =܇>RXX_1[> MꪂOJ 2,=VV<>A~guE#r H@+^@03:%_Ч6#ko;79wh\^}&'+ 'W~<_/{9juoė[u|ܹ|Ҿh]^/z&hT/晾xQ(Xt %Eũ6uF\ «XerxgixɎ>+bzh,.6?ug(ڽ0%lyї51o&(6 Fyvllŵ6vg5^Lˢ5%Ǯ!uԦF p5z@Q`1Dk GM&7ba:kH碕&5+8r<((_2ʯj}q(QށNF9Rzo}ypleCI~>@?dG(חzQkg3틌r;vs_埡3]f'(U1OOr 3ڿΠ = >k\픊(eK " SV9,.N2W;uu8_6>Cg6'[5}NoM:RN ?,RKtAc,O)NBhع+jz|jpO4psn ~|t}$5RiErT)ܑNxIQGDd1< ̈ɪ"+Uw9 ط]V++b`"! *s>P`24UJ` z!J1 4c֭dK1BDO"׏ё.;fM$We",d aSKp^'WvŐ@0~Y8P*`!I؞.F^$.[?iǤK4l&Klɜ]k'bB'mWLL\Ќd@a)x܁AR~hqjF߮e/Mh'_5 BF3q4 Y8T"vc{[/I)H0\dz\g;n4ۭtK-gd+["l%E a'߂!TL,sD?>K:![1Q1jkA/?nwH3۱xಁe"=  smاTt |!,ڎN,Gw U|ٲs9abV)qmezӧW-[@5E`0v4`eh)Zձ]w 7g}4ʦJu_WHnNvGD '7>6'O[֢9m4` G:ʖ$_)0to G/7~~ r@b+ߟ2"L) ԦLjw)+],byY3lSw6E}2\HGx kyfŧ+o[t%(5x2[v6 l~HDZQĶ`:Vږ*zYD1e~}=3Ӳg(q",@PpPU+Kei$Vit/ >n)ZF$c ԭ䅸<P0_^C.vQeN܄uFEmhT_ !*lˢcM )/߶c3qݼ¶,yX]F\'X3'5cgb@xVO=d_qxN|L/ة9:y 2^9FB~eXX\FyyU~ҥN.I,g`aQd+8*)ؐrk`4bO1,sQf7=M@ 'Ɣ ϰ"- sK׶9),cw:gy/|[zD,5b;tP9ɓ_ a0+>c-3q7CƮ S)&DWK54ƘbO1,X+0_kAckDeU|tGYEL`&;]+N%t&vж?gTH0H6c?pf 7@˽ŵ]Ng"a7<#/a(`yba*"e}q$Y|C*'ꙺU7/>!2D!6xVi`Eqsş7q뇫NjV- QslA0}el_|HVzv S_&ȕ/g2f#oUAޚZfMZ%Nbj~ۊ#iQf8&rYObѥ;7 P%On6%s\ɜKBS+$WY/WiQ}"' Cfan؄;66BJF:6L]_[ PDw)