iPhone insecurity
Published: 27 Jun 2007
Apple excels in creative and innovative marketing. Often it's what the company doesn't tell you that creates the most buzz. For example, we know next to nothing about the Apple iPhone. We know little about the new Leopard release of Mac OS X. Both have generated a lot of press, and so far the hype has succeeded in distracting everyone from a very real concern: the overall security of each product. When you strip away all the creative marketing, when you take away the Steve Jobs-induced hype, what you have is a new mobile phone based around an operating system that's just as vulnerable as the next one. Trouble is, Apple isn't being as forthcoming about security as other vendors.
The naked iPhone
For the moment, iPhone will be running a version of the current Mac OS 10.4; in the autumn, Apple will presumably upgrade its phones to the newer Mac OS 10.5. So far, the company seems to be rolling out a series of patches, one a month for last year or so, which is good. Apple might, however, want to follow Microsoft's lead and standardise its releases to the second Tuesday of each month.
When flaws are patched, Apple often dfails to acknowledge the researchers who actually brought the vulnerability to its attention. Apple is known to be looking for more security researchers. It's not an ego thing; by working with the vendor to correct the vulnerability, researchers put in long hours, usually without compensation. A public 'thank you' is more than enough. But that hasn't happened.
Shoot the messenger
Instead, Apple has created history of attacking security researchers. Last summer, during BlackHat USA, security researchers David Maynor and Johnny Cache disclosed a wireless vulnerability using an Apple MacBook. The team found that malformed network traffic could allow the notebook to be compromised, and they provided a video of the attack.The researchers did use a third-party wireless card for their video demonstration, but said repeatedly that the Apple Airport wireless driver was also vulnerable. quietly released a patch, which, if the vulnerability that was fixed had been exploited, could have compromised the Airport wireless drivers in MacBooks. Apple forgot to mention David Maynor and Johnny Cache.
Apple should stop attacking the messengers — the researchers — and change, as did Microsoft, by working with them. After BlackHat, Apple rebuked Maynor's employer, saying 'despite SecureWorks being quoted saying the Mac is threatened, they have provided no evidence that it is'. Apple orchestrated media attention toward third-party wireless device drivers, which is fine because those drivers were patched quickly. Two months after BlackHat, Apple
Reap the seeds that have been sown?
Ironically, it was another Apple vulnerability that put David Maynor in the news again recently. He was one of three independent security researchers who disclosed vulnerabilities within the new Safari 3.0 for Windows beta. Some of the flaws exist on Mac OS as well. Although the point of a beta is to ferret out the bugs on a variety of different machines before it goes final, some of the flaws disclosed in Safari this week were pretty easy to find. In other words, Apple could have found these vulnerabilities themselves during various alpha builds.
Rather than work quietly with the vendor, Maynor and the others made their findings public. A few weeks ago, I interviewed security researcher Chris Soghoian who pointed out that disclosing an Apple vulnerability is almost a guarantee of a lawsuit. Instead, many security researchers would rather find a fault with another vendor. On the other hand, Maynor is rumoured to have another Safari exploit primed and ready, one that works on both the Windows and Mac OS versions of Safari. It's ready to go once he gets his hands on an iPhone.
iPhone worries
Which brings us to the iPhone. Again, no one outside of an elite few has actually held an iPhone, yet there's legitimate concern about its security. But Jobs has said that it will be a closed operating system, meaning you cannot write mobile applications for it — directly. The carrot Jobs extended to the WWDC crowd was not a software development kit (SDK) for writing applications (which the developers I spoke to all wanted), but a way to write applets within the Safari browser.
As we have seen, security researchers were able to find fault with Safari 3.0 within days of its beta. Malware today is almost always financially motivated. The crowd that stands in line on June 29 for the US release of the iPhone has at least $500 to spend, more with the two-year contract to AT&T. These early adopters are going to load their iPhone with important contacts — maybe even download songs and movies that have value as well. In the end, the typical iPhone user may have a target on his or her back.
Below the surface
Even before the Safari announcement, the underlying Mac OS remains vulnerable, although by locking outside vendors to writing code for the iPhone, the overall security risk could be lower than expected. Eric Chien, writing on Symantec's blog site, said back in January 2007 that the iPhone was prone to two types of vulnerability exposure. One, the Mac OS is based on Unix, and Unix has a number of well-known vulnerabilities that could also affect the Mac OS. While the incentive to exploit these exists today (to give Apple a black eye, not to mention wreak havoc on the Apple community), there's much greater financial incentive in waiting to go after the mobile version of Mac OS in July. Second, Chien worries about the rise of non-standard software on the iPhone. I think that the latter is somewhat removed now that Safari will be the legit platform for ad hoc programmers.
From an IT perspective, say you want your workforce to switch over — what security guarantees do you have? Does the iPhone include auto-update or an update button, or will there be a way to push out updates across the network so your employees can remain patched? And if there's a firewall included, does the user have the ability to tweak it or opt out? These are questions that will be answered very soon.
Can't really predict
Criminals today are not writing code to garner 'greetz' from their 3l337 crew; they're targeting attacks aimed at the most profitable parts of the web. Apple may not enjoy the 90 percent saturation of Windows, but of that 5 percent it does hold dear, the relative income of the Apple user base may be enough to finally make Apple a big target.
And of the percentage that purchases the very first iPhone with its two-year contract to AT&T, that too is a financially attractive group for criminals to attack. Given that they wouldn't want to risk compromising the iPhone with gnarly malware infections, Apple might see the light. Apple should stop attacking the messengers — the researchers — and change, as did Microsoft, by working with them. Maybe, with the popularity of the iPhone and Leopard OS, that will happen.
Related articles
Apple iPhone: a first look
Preview Apple has finally announced the iPhone, and it'll instantly be on almost everyone's wish-list. In Europe, we'll have to wait until Q4 to get our hands on the device. Here's a preview of what's on the way. [10 Jan 2007]
Fourteen views of Mac OS 10.5 Leopard
Photo Here's a preview of what we know about the upcoming operating system release from Apple. [15 Jun 2007]
- Inside Intel's Santa Rosa platform
- Intel's generation gap irks Europe
- Intel's Centrino launch brings mixed reactions
- Acer's Santa Rosa TravelMate notebooks
- Dell enters tablet market
- AMD debuts Griffin mobile processor
- 32GB solid state disk comes to UK notebooks
- Photos: Palm Foleo
- Buyer's Guide: Santa Rosa notebooks
- Intel's turbo memory needs a boost
- Mobility: Make The Case (PDF)
Did you find this article useful?
