You have to give it to Apple. At least they’re trying, in their inexperienced way, to make the iPhone acceptable to enterprises. They even have a web page about it.
The really bare-bones necessities may be there already: A mail client that can talk to Exchange Server, VPN support, some Oracle support. Perhaps most importantly, the addition of Microsoft ActiveSync provides the ability to remotely wipe the device using the Exchange Management Console. This is supposed to wipe all data on the device: “Doing so quickly removes all data and configuration information from the device, then the device is securely erased and restored to original, factory settings.” This can be handy for the not-uncommon lost device. [Note: This column originally, mistakenly said that there was no remote wipe capability. Sorry.]
And as silly as it seems for an Apple device or, for that matter, for a mobile device, I want to see some sort of client-level security program. Yes, anti-malware, IPS, all of that. Now that corporate e-mail is a serious possibility for the iPhone I see trouble on the way.
We often see new, obscure vulnerabilities exposed when Microsoft reveals that “limited, targeted attacks” have been committed with it, and that an exploit is not generally in the wild. The iPhone is a great target for such attacks. The iPhone and MacOS on which the software is based have a rich recent history of vulnerabilities, and Apple usually takes their good time fixing them. Security against it will likely to come only at the level of the Exchange Server anti-malware. A targeted attack against, for example, the iPhone Mail program, would therefore have high value. Rest assured that lots of qualified people are working on such attacks now.
The iPhone is uniquely vulnerable to many kinds of attacks to which other mobile devices aren’t. First, Blackberrys aren’t treated as general-purpose computing devices the way that iPhones are. Second, it’s not just the mail, it’s the browser. For now it seems iPhone users are stuck with Safari, which also has a rich recent history of vulnerabilities. A targeted attack would work very well that way, by e-mailing the victim a URL rather than a binary of some kind. They click the link, completely outside the protection of the corporate network, and a Safari vulnerability gets them.
How long do these iPhone vulnerabilities sit around unpatched? The bunch patched just a few days ago were generally about 3 months old. Several of them were drive-by installer attacks on Safari (“Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution”).
Once an attacker has exploited a vulnerability it shouldn’t be too much trouble for them to install other programs. The iPhone Dev Team has already “jailbroke” the iPhone 2.0 OS, so that barrier doesn’t seem too formidable.
There is a middle ground between banning iPhones and letting them in without adult supervision. In a story we ran about a month ago some of you claimed that you don’t allow much network access even for more secured devices. If you just allow e-mail support and not allow any protocols you are still somewhat exposed, as are any documents on users’ phones, but it could be worse.
But I’m a hardcore fascist when it comes to equipment on the network. No company that’s serious about security lets new devices on the network without proper vetting by IT, no matter what some Executive VP wants. A lot of companies have been bending under the pressure for the iPod for the last few months, and it may get worse now that Exchange support is there. The iPhone may get to the point of being secure enough, but for now there’s still the potential for real trouble.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s blog Cheap Hack