iPhone Is Coming to Your Network, Ready or Not

Analysts said that despite iPhone's security issues, early-adopter employees and status-seeking managers will smuggle the device into enterprises.

iPhone. Whether enterprises are prepared or not, it has arrived.

Less than a month into its release, Apples multimedia, Internet-enabled phone has already received criticism regarding security, highlighted by attempts to unlock the iPhone for networks other than AT&T and a well-publicized exploit crafted by Independent Security Evaluators, Baltimore-based security testers.

It is only natural that IT organizations shiver at the thought of the iPhone endangering their networks, but they will have few options to block its entrance to the enterprise and no recourse but to prepare for it, said Andrew Jaquith, an analyst at Yankee Group.

"Regardless of the bloviating prognostications of analysts, journalists or other talking heads—this one included—early-adopter employees and status-seeking managers will smuggle the iPhone…into enterprises of all sizes," he said.

"Because of the iPhones enterprise suitability—not in spite of it—these employees will place increasing pressure on IT groups to support e-mail, calendaring and intranet application interfaces that work with the iPhone."

Enterprises can choose to support the iPhone by using open standards for e-mail access, and by configuring their VPN to work with the iPhones VPN client, Jaquith said.

"Not supporting the iPhone is an option too, but frankly in my view the security issues are not that significant," he said. "The iPhone isnt a smart phone—a cut-down PC. Its better to think of it as a grown-up iPod that also allows employees to check e-mail and run Web applications."

Thinking of an iPhone as a grown-up iPod may make some breathe easier. However, Credant Technologies found in a study that even when it comes to iPods, enterprises are not taking the security measures that they should. According to the study, which surveyed 323 business executives from a variety of fields, only 6 percent of all respondents have an encryption tool for data stored on iPods. Forty-six percent said they have a written security policy governing the use of iPods, while 40 percent have done nothing.

Those numbers matter because workers can download data onto their iPods to take outside the office, said Richard Stone, vice president of marketing at Credant, which is now offering file-based encryption technology to address this issue.

"Organizations have got to enforce the security on those devices," he said. "Its actually cheaper to protect data then to lose it."

Gartner analyst Ken Dulaney has been a critic of the iPhones security, and is among the chorus of voices urging enterprises to wait until Apple has improved the iPhones security. Though he agreed that the inability to change native OS files make targeting the iPhone with malware less tempting for hackers, the handsets lack of a SDK (software development kit) means third-party security vendors will not be able to add additional layers of protection, he said.

/zimages/3/28571.gifClick here to read about how researchers cracked the iPhone.

"As you can see from our notes and the many break-ins that have already occurred with this, the only defense comes from Apple," Dulaney said. "Third parties cannot provide enabling technology to more aggressively increase security."

Jaquith said that many of the security worries raised by critics of the iPhone have been exaggerated.

"Lets look at the facts. Internet-capable phones have much smaller attack surfaces than desktops," he said. "Moreover, the iPhone has a much smaller attack surface than the smart phone operating systems it has been often compared with, such as Windows Mobile. The iPhone has no open TCP/IP ports, no removable media, no USB drive functions, no Bluetooth services other than audio, no file system access and no supported native third-party APIs or SDK. If you cant run third-party code on it, you cant run hostile code on it either."

In addition, the iPhones lack of USB drive functions means that it cant be used to smuggle data out of firms, Jaquith said.

"E-mail is encrypted by default," he said. "And because the API for the iPhone is HTML and AJAX, you cant store large quantities of sensitive information on the device—other than cached e-mail. Thats a pretty small attack surface."

Jaquith acknowledged however that there are areas where Apple is going to fall short, such as the Safari exploit discovered by Independent Security Evaluators.

The major security issue for enterprises is determining whether they want to allow the iPhone to access company e-mail and intranet applications, he said. The iPhone is capable of doing both securely, using IMAP-S and SMTL over TLS for mail, and L2TP over IPSec for the VPN, he explained.

However, that too introduces vulnerabilities, wrote Dulaney and fellow Gartner analysts John Girard and John Pescatore in a report earlier this month.

"Because IMAP does not support calendar and contact synchronization, users will be forced to utilize a separate local synchronization to the users PC, a method similar to what the Research In Motion BlackBerry used in v.3.x of its software," the Gartner analysts wrote. "Potential vulnerabilities include VPN tunnel exposure, incompatibility with company mandated-VPN client security tools and unaudited local information exchanges with the users workstation."

The iPhones status as a new product means it deserves more criticism than other products, Dulaney said.

"That said," he added. "It is far less secure than the BlackBerry, doesnt support mainstream security protocols and methods and provides no way for third parties to fix the problems."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.