June 26th, 2007
The iPhone security non-story
David Maynor is hoarding his Safari browser flaws with his eyes on the iPhone.
As far back as January, hackers were asking questions about the iPhone CPU and preparing for attack scenarios.
The first hacker that breaks into the iPhone will generate lots of headlines/publicity but that’s right about where this story ends.
According to this NetworkWorld piece, Gartner will add to the ridiculous hypefest next Monday with a warning to enterprises:
We’re telling IT executives to not support it because Apple has no intentions of supporting (iPhone use in) the enterprise,” Gartner analyst Ken Dulaney says. “This is basically a cellular iPod with some other capabilities and it’s important that it be recognized as such.”
Do we really need a Gartner report to tell us that a storage device presents a data theft risk?
Dave Goldsmith from Matasano says it best:
Every device that walks into your organization is just another way for data to leave. Laptops, iPods, cell phones, PDAs and even the dreaded Furby have all gone through this same set of concerns.
Yes, somewhere deep inside of every enterprise is a small team of people that have to worry about data management. And yes, everytime something like this comes out, they have to write a bunch of policy blocking it. And then they have to start relaxing that policy as the devices become commonplace.
If you are responsible for keeping data inside of your organization, for the love of everything that is holy, please don’t spend too much time on the iPhone. Allow us to remind you about all of the data breaches that are happening thanks to insecure wireless access points, tape backups disappearing, wrapping your newspapers in customers’ personal financial information, and stolen laptops.
Space Rogue, a former L0pht member and editor of the Hacker News Network, agrees this is a non-story and argues that iPhone will be much more locked down and secure than your existing cell phone, thanks to the firmware auto-updating mechanism built into iTunes.
iPhone will run a modified version of OSX. That will likely include some form of FileVault, Apple’s encryption technology for user files. Thats right, encryption built right in. This hasn’t been announced and it might not be in there, but if the technology and the code already exist why not put it in?
iPhone looks to be just about as secure or even more so (no proprietary and closed backend) than a Blackberry, Treo, or Blackjack. Everyone saying otherwise is either a paid MS schill, astroturfing, or just plain idiots.
Bingo.
And the 25+ PR folks pitching me on iPhone security stories to hitch your clients’ wagon to the iPhone gravy train, you can stop now.
This is my last iPhone blog entry. Until Maynor or Halvar Flake breaks in.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
| 06/27/07
