Posted by: Leigha
Information Security Threats
Much has been made about the release of Apple’s iPhone, including a lot of speculation on the security risks of using one. There’s so much blogosphere noise on the subject that I’ve decided to focus on nothing else.
Headlines on the iPhone are all over the place. Some dismiss the notion that hackers will make iPhone attacks a priority. Others, like nCircle Director of Security Operations Andrew Storms, compare the coming of this device to the coming of the cyber apocalypse. Storms wrote in the nCircle blog, “‘It’s [the iPhone] going to be entering enterprise networks whether we like it or not, and it’s a nightmare for security teams.”
He said the iPhone has no place in the enterprise network simply because it lacks enterprise security controls. The most anyone can get out of Apple are demonstrations of the iPhone’s usability interfaces. “Given the complete lack of Apple to address enterprise security (yet), enterprise security teams must prepare for the worst,” he wrote.
There’s some truth to what Storms has to say. There’s no doubt these devices will find their way into offices across the globe, and that IT shops will be at a loss over what the big security picture will be. But for the most part, the security nightmare scenarios being bandied about amount to speculation and pure FUD. And when you get down to it, the potential threats are no different from those against every other Web-enabled mobile device. I just don’t see anything new here.
My impression is that a majority of bloggers feel the same way.
One of the strongest statements to that effect comes from Dave Goldsmith via the Matasano Chargen blog. Under the headline “Matasano Does Not Care About iPhone Security” he wrote the following:
“The fear mongering stories about the iPhone are beginning to pour in. From exploits to execs storing critical data on it, everyone is talking about how the iPhone is going to be the next security nightmare. Every device that walks into your organization is just another way for data to leave. Laptops, iPods, cell phones, PDAs and even the dreaded Furby have all gone through this same set of concerns.
“Yes, somewhere deep inside of every enterprise is a small team of people that have to worry about data management. And yes, every time something like this comes out, they have to write a bunch of policy blocking it. And then they have to start relaxing that policy as the devices become commonplace.
“If you are responsible for keeping data inside of your organization, for the love of everything that is holy, please don’t spend too much time on the iPhone. Allow us to remind you about all of the data breaches that are happening thanks to insecure wireless access points, tape backups disappearing, wrapping your newspapers in customers’ personal financial information, and stolen laptops.”
Space Rogue, a security consultant and founder of Hacker News Network, wrote in his Space Rogue blog that the iPhone looks to be just as secure or even more so than a Balckberry, Treo, or Blackjack. “Everyone saying otherwise is either a paid MS schill, astroturfing, or just plain idiots,” he said. “About the only security questions I have with iPhone is whether or not it supports IMAP over SSL or IMAPS. Considering that the iPhone has Safari built in I suspect that support for SSL will be included.”
Jeff Hayes pointed out in his Security blog that there will always be new or potential vulnerabilities anytime a new computing device is thrown into the corporate mix. He said iPhone security might be a bigger issue over time, though for now it should be the least of a security manager’s worries.
There’s no question that the iPhone will face the same risks as mobile phones, laptops and other devices now being used in airports, coffee shops and offices across the world. But the big-picture threat is already well established. Most IT shops know by now that mobile devices are becoming a critical business tool and that there’s no shortage of tricks attackers can use to pit the technology against us.
The iPhone adds nothing new to this reality.
About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at firstname.lastname@example.org.