IPhone security: Nightmare for IT or no big deal?
- 25 June, 2007 20:24
Apple Inc.'s iPhone will prove to be a security nightmare to corporate IT when it debuts Friday. Or it may fuel a surge in mobile malware. Or it won't change the security landscape one whit. Take your pick, said security researchers and analysts today.
With details still unclear -- Apple has said next to nothing about iPhone security -- it's no wonder that the device's vulnerabilities are in the eye of the beholder, even if those beholders are professionals who make their living researching vulnerabilities and blocking exploits.
"It's a nightmare for security teams," said Andrew Storms, director of security operations at nCircle Network Security Inc. "What I'm afraid of is that enterprises are going to get pressure from, say, sales, to bring this in. And even if it's not approved, people will try to connect it to their corporate networks. It has no place in the enterprise."
Storm's problem with the iPhone stems from the lack of a security management tool that could enforce company policies about which devices connect to the network and when. "There are no central management tools. If there was a product that integrated with [Mac] OS X Server, it would be a totally different story," said Storms. "Apple has been quiet about enterprise security, so we have to expect and plan for the worst."
Neel Mehta, team lead for Internet Security Systems Inc.'s advanced research group, agreed -- up to a point.
"All the press around the iPhone makes it a very enticing target for hackers," said Mehta, who has forecast malware aimed at the new device will be developed in the near future. "The fact that it runs Mac OS X means that there is a good possibility that vulnerabilities found on the OS will also affect the iPhone. [Hackers] may be able to port the hacks they find on one to the other."
But Mehta also said he sees an upside to iPhone security. One likely boon: the omission of an software developer's kit for the phone. The decision to forgo an SDK and instead force application writers to deliver software and services through the embedded Safari browser may have disappointed developers, but it got a thumbs-up from Mehta.
"The lack of an SDK will limit the development of viruses and worms," he argued. "Without one, it's going to be very challenging [for anyone] to run any software on the iPhone."
And even if malware authors manage to overcome the difficulty, Mehta doesn't expect the iPhone's world to come crashing down -- at least not right away. "I think we'll begin to see attempted exploits, if they do appear, very quickly after the iPhone launch," he said. "It will probably be more attractive as a research target than an exploit target, because the market share just won't be comparable to other platforms for a long time to come."
David Goldsmith, one of the principals at security consultancy Matasano Security, and a co-founder of @stake Inc., downplayed potential iPhone security issues even more so than Mehta. There are much more important things to worry about, he said.
"If you are responsible for keeping data inside of your organization, for the love of everything that is holy, please don't spend too much time on the iPhone," Goldsmith said in a posting to the Matasano blog last week. "Allow us to remind you about all of the data breaches that are happening thanks to insecure wireless access points, tape backups disappearing, wrapping your newspapers in customers' personal financial information and stolen laptops."
Exactly, agreed Andrew Jaquith, an analyst with the Yankee Group Research Inc. Calling Storms' nightmare scenario "scare-mongering," Jaquith went on to say that "Andrew misses the broader point that consumer technologies are invading the enterprise. Instead of getting IT groups riled up over issues that frankly haven't been solved by any device, no matter how 'enterprise grade' it might be, he would be better served thinking about how to accommodate the iPhone."
Storms wouldn't go that far, but he did acknowledge that fighting the iPhone could be futile. "Enterprises have to get ahead of it," he said. "Remind users that it's not approved, but let people know that you're going to continue to look at it."
Mehta, more in line with Jaquith's advice, said a ban wouldn't work. "The iPhone poses the same risks as any other device connected to the network. It's going to be very hard to control [who uses it], so the best thing to do is take the defense-in-depth approach."
They're all just whistling in the dark for now, of course, and unless Apple spills more security details between now and Friday, that's the way it will remain for the week -- which is what drove Jaquith to the edge.
"Stating that, sight unseen, the iPhone has 'no place in the enterprise?' Give me a break."