Security Bytes

Jun 29 2007   4:33AM GMT

Thoughts on the iPhone security hype

Leigha Leigha Cardwell Profile: Leigha

Much has been made about the release of Apple’s iPhone, including a lot of speculation on the security risks of using one. There’s so much blogosphere noise on the subject that I’ve decided to focus on nothing else.

Headlines on the iPhone are all over the place. Some dismiss the notion that hackers will make iPhone attacks a priority. Others, like nCircle Director of Security Operations Andrew Storms, compare the coming of this device to the coming of the cyber apocalypse. Storms wrote in the nCircle blog, “‘It’s [the iPhone] going to be entering enterprise networks whether we like it or not, and it’s a nightmare for security teams.”

He said the iPhone has no place in the enterprise network simply because it lacks enterprise security controls. The most anyone can get out of Apple are demonstrations of the iPhone’s usability interfaces. “Given the complete lack of Apple to address enterprise security (yet), enterprise security teams must prepare for the worst,” he wrote.

There’s some truth to what Storms has to say. There’s no doubt these devices will find their way into offices across the globe, and that IT shops will be at a loss over what the big security picture will be. But for the most part, the security nightmare scenarios being bandied about amount to speculation and pure FUD. And when you get down to it, the potential threats are no different from those against every other Web-enabled mobile device. I just don’t see anything new here.

My impression is that a majority of bloggers feel the same way.

One of the strongest statements to that effect comes from Dave Goldsmith via the Matasano Chargen blog. Under the headline “Matasano Does Not Care About iPhone Security” he wrote the following:

“The fear mongering stories about the iPhone are beginning to pour in. From exploits to execs storing critical data on it, everyone is talking about how the iPhone is going to be the next security nightmare. Every device that walks into your organization is just another way for data to leave. Laptops, iPods, cell phones, PDAs and even the dreaded Furby have all gone through this same set of concerns.

“Yes, somewhere deep inside of every enterprise is a small team of people that have to worry about data management. And yes, every time something like this comes out, they have to write a bunch of policy blocking it. And then they have to start relaxing that policy as the devices become commonplace.

“If you are responsible for keeping data inside of your organization, for the love of everything that is holy, please don’t spend too much time on the iPhone. Allow us to remind you about all of the data breaches that are happening thanks to insecure wireless access points, tape backups disappearing, wrapping your newspapers in customers’ personal financial information, and stolen laptops.”

Space Rogue, a security consultant and founder of Hacker News Network, wrote in his Space Rogue blog that the iPhone looks to be just as secure or even more so than a Balckberry, Treo, or Blackjack. “Everyone saying otherwise is either a paid MS schill, astroturfing, or just plain idiots,” he said. “About the only security questions I have with iPhone is whether or not it supports IMAP over SSL or IMAPS. Considering that the iPhone has Safari built in I suspect that support for SSL will be included.”

Jeff Hayes pointed out in his Security blog that there will always be new or potential vulnerabilities anytime a new computing device is thrown into the corporate mix. He said iPhone security might be a bigger issue over time, though for now it should be the least of a security manager’s worries.

There’s no question that the iPhone will face the same risks as mobile phones, laptops and other devices now being used in airports, coffee shops and offices across the world. But the big-picture threat is already well established. Most IT shops know by now that mobile devices are becoming a critical business tool and that there’s no shortage of tricks attackers can use to pit the technology against us.

The iPhone adds nothing new to this reality.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Technorati Tags: , ,

4  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Leigha
    Pretty good summation of this topic. iPhone is just another consumer endpoint device, which can join the list with all of the others that the security industry pretty much sucks at, as far as containing data leakage through their use.
    0 pointsBadges:
    report
  • Leigha
    Copying from other blogs!!! What a great way to provide insight on current issues without your own opinion!!! Then why do I need to read Information Security Magazine now??? I can just google "iPhone security"...right? =)
    0 pointsBadges:
    report
  • Leigha
    Well, Ray, pointing out what people are saying in other blogs is the whole point of this column. Using the iPhone hype as an example, my goal was to capture what bloggers were saying and then inject my own opinion along the way.
    0 pointsBadges:
    report
  • Leigha
    I thought is was a great precursor into what will become the norm as intelligent devices becomes smaller and continue to make into the workplace. What will be needed are better encryption schemes and ways to wipe the data if the devices are lost or stolen.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: