Apples upcoming iPhone: Its a “security nightmare,” it will “turn your security team into zombies,” and Apple is possibly “using the Windows Safari Beta Test to stamp out iPhone security holes.”
Or, then again, depending on which iPhone watcher youre paying attention to, the iPhone security is irrelevant compared with “insecure wireless access points, tape backups disappearing, wrapping your newspapers in customers personal financial information, and stolen laptops.”
The iPhone wont go on sale until June 29. Up until now, and probably until it hits retail shelves, Apple has given next to nil information regarding the security features its first smart phone will have, making security analysis little better than conjecture. The few pieces of security background analysts have to go on include these tidbits: 1) The iPhone will run on Mac OS X and 2) the iPhone will run Apples Safari browser.
The security experts who are worried about the hot, new gadget base their fears on the fact that the iPhone will be capable of much of the same functionality as the BlackBerry, without the enterprise-class security: The iPhone can access e-mail, the Internet and SMS, and it can store a plethora of sensitive data in its contact and organizer functions.
“The BlackBerry has over 200 security policies that permit enterprises to turn off its camera, force password changes” and prevent browsing certain sites, among other enterprise-class security features, said Ken Dulaney, an analyst at Gartner. “Im 99 percent sure thats not where the iPhone is taking it. If [such security features] came from anywhere, it would be from third parties. BlackBerrys are going to kill [the iPhone] from a security [perspective].”
Note: The BlackBerrys security profile isnt necessarily faultless: Symantec researcher John OConnor put out a whitepaper on hacking the device in the fall. The paper was subsequently removed from Symantecs site, however; OConnor said the reason for the removal was that he hadnt considered “the effectiveness of all possible security features that might provide mitigation of the impact of malware and the management of application permissions.”
Still, BlackBerry security headlines have covered, among other things, a DoS (denial-of-service) bug in January 2006, the release of exploit code in August 2006 and the ability for attackers to purchase a $100 API developer key to enable data theft off the devices.
Andrew Storms, director of security operations at network security firm nCircle, who called the iPhone a “security nightmare” in a recent post, has gone so far as to post a list of security-related questions that he wants Apple to address in a public forum before organizations “reel this new gadget into” their security policies. To wit:
- Is data encrypted while in transit?
- Is data encrypted on the device?
- Is data encrypted on removable memory?
- Is data removed if the device hasnt checked in centrally, hasnt received a policy update within a time window or if battery power is too low?
- Is there S/MIME support?
- Is there PGP support?
- Are there electromagnetic analysis countermeasures?
- Are there DRM applications (ability to read, but not forward data)?
- Is there user authentication by means of password, passphrase or smart card?
- Does the device automatically lock and require authentication to unlock?
- Are the encryption keys stored on the devices, and are they also encrypted?
- Do the network devices have firewalls?
- Are the network interfaces disabled by default, and does the user have the ability to disable at will?
- Is there the ability to remotely lock and disable the device?
- Is there the ability to remotely wipe and back up data?
- Is there the ability to centrally develop and enforce policy settings?
- Is there centralized reporting of all device events—calls made, data transferred and usage statistics?
Gartner plans to recommend that businesses dont allow iPhones to come onto their premises.
Not that the iPhone is as potent a potential threat as a PC, Dulaney said. All phones have a security advantage given that they sit behind operators at, for example, Cingular or Verizon.
Next Page: iPhone faces Internet risks.
Risky Internet Links
“Because the phone sits in a closed environment, its uniquely different from PCs attached to the generic Internet,” Dulaney said. “By definition it has security advantages a generic PC wouldnt have.”
That said, the smart phone can expose itself to the risky Internet through, for example, browsing, Dulaney said, and lacks a firewall.
The iPhone likely isnt going to have enterprise-class security anytime soon, either. Dulaney talked to Apple last week and said that he came away with the impression that the company isnt interested in selling to that audience; rather, its fixated on selling the iPhone to consumers.
Nonetheless, executives will “no doubt” bring the phones into their organizations, he said. Recognizing that inevitability, Gartner is reiterating to its clients its recommended three-level support policy: Platform, Appliance and Concierge.
At the Platform level of support, an organizations IT group selects a device because its characteristics meet enterprise security policies. At the Appliance level of support, IT permits some degree of choice to its end users: IT asks users to narrow the functionality they deploy on a given device—say, limiting their use to browsing. In return they get more support.
If forced by executives to support the iPhone, Gartner suggests slotting the device under a Concierge level, where security is offered at a high price. In this level of support, an organization would apply bodies to the problem. If an executive insists on being supported with some device, the only thing the enterprise can do to safeguard its data assets is to hire college kids to look after the device. If its lost, a college kid would do nothing but try to find out where it is and to prevent loss of data, Dulaney said. Given that higher-level executives are the ones who can demand IT support, the risk of exposure is that much higher, he pointed out—i.e., a lost iPhone could very well have, for example, a companys financials on it.
Mac OS X fans point to the fact that the operating system, considered by many to be far more secure than Windows, will ensure that the iPhone is secure. At this point, however, nobody knows what features have been removed from Mac OS X to fit it into a smart phone form factor.
“To take a big operating system and shrink it down to a phone is a serious technical challenge, I dont care who you are,” Dulaney said. “Who knows what Apples done here.”
For example, Apple could have gotten the operating system from a third party and just called it OS X, Dulaney said. An example is Java for servers and Java for phones; theyre both called Java but theyre “very different,” Dulaney said. For all we know, Apple could have started from scratch to write the operating system for the iPhone, in spite of calling it Mac OS X. One indication that the operating system of the iPhone and the Mac desktop are sitting on different code bases is their UIs; each is very different from the other.
“Its hard to say how much they put in there,” vis-à-vis security, Dulaney said.
Windows Mobile is another example of a mobile operating system being quite different from the desktop operating system from which it descended. The APIs between the UI on Windows for the desktop and Windows Mobile are common, but thats all the two share, Dulaney said.
“[Microsoft calls] them both Windows, but they share very little in common,” he said.
Next Page: Microsoft answers security quiz.
Microsofts Answers
As a means of comparison, Microsoft supplied the answers to Storms questions for Apple as if he had asked them of Windows Mobile. Microsofts answers:
- Is data encrypted while in transit? Yes, the data is transported using SSL, so it is encrypted during transit
- Is data encrypted on the device? No.
- Is data encrypted on removable memory? Yes.
- Is data removed if the device hasnt checked in centrally, hasnt received a policy update within a time window or if battery power is too low? No. However, please note the Exchange server can remotely wipe the device. The device is also wiped if the password is entered too many times as a security measure.
- Is there S/MIME support? Yes.
- Is there PGP support? No (need third-party application).
- Are there electromagnetic analysis countermeasures? No.
- Are there DRM applications (ability to read but not forward data)? Yes, support for DRM for media content and IRM for e-mail (read and create is supported).
- Is there user authentication by means of password, passphrase or smart card? Yes. Windows Mobile 6 includes the ability to lock your device and require a password to use the device after a specified period of disuse.
- Does the device automatically lock and require authentication to unlock? Yes.
- Are the encryption keys stored on the devices, and are they also encrypted? Yes, stored on the device and is possible to encrypt them.
- Do the network devices have firewalls? No.
- Are the network interfaces disabled by default, and does the user have the ability to disable at will? User can disable.
- Is there the ability to remotely lock and disable the device? Yes.
- Is there the ability to remotely wipe and back up data? Yes, can wipe but cannot back up data.
- Is there the ability to centrally develop and enforce policy settings? Yes.
- Is there centralized reporting of all device events—calls made, data transferred and usage statistics? No, not today.
One source of potential security risk that wont be on the iPhone is Exchange. Dulaney said that Apple told him the iPhone will support Outlook but not the Exchange server. The only e-mail Apple plans to support on the smart phone is ISP e-mail—a fairly rudimentary version of e-mail.
The iPhone also wont support pushed e-mail; Sync, the “old-fashioned way of doing things,” will basically be the only way to download e-mail, Dulaney said.
At any rate, Apple is annoying some analysts with its lack of security details.
“They really have said absolutely nothing,” Dulaney said. “The way theyve been with everybody borders on arrogance. They should tell people what theyre getting into.”
As far as what Apple is saying, Dulaney said he has trouble believing the companys claims about the smart phone, including battery life claims.
“Apple [is claiming] almost a 2x ratio of standby to talk time of other devices,” he said. “Which says to me, if you have given the same amount of capacity on the network with the same battery capacity, [various smart phones battery lives] should be the same, which Nokias and BlackBerrys basically are. Apples never made a phone before. Do they have a nuclear generator in there? They could have filled every nook and cranny with liquid polymer stuff, but its hard to tell.”
And then again, theres the option of not caring about iPhone security. Security firm Matasanos Dave Goldsmith wrote in the company blog—in its headline, actually—that “Matasano Does Not Care About iPhone Security.”
“If you are responsible for keeping data inside of your organization, for the love of everything that is holy, please dont spend too much time on the iPhone,” Goldsmith said.
The rationale:
“Allow us to remind you about all of the data breaches that are happening thanks to insecure wireless access points, tape backups disappearing, wrapping your newspapers in customers personal financial information, and stolen laptops.
“Will the iPhone compound this problem? Slightly.
“Will researchers attack the iPhone? You bet.
“Will attackers spend a lot of time trying to steal data off of an iPhone? I doubt it.
“Will someone run Linux on the iPhone? Sadly, yes.
The person that spends 500$ on their phone will protect it more than the laptop you issued them.”
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
