EXPERT RESPONSE
Your timing is quite amazing. It just so happens that I purchased an iPhone last night and set it up early this morning. It's a dazzling device, but you are right to bring up security concerns. Only a few short weeks after its release, researchers had already discovered vulnerabilities associated with the iPhone's browser and mail client. I agree with you that the security risks of an iPhone are comparable to other wireless devices, but the iPhone does bring some special issues that are a cause for concern:
- The iPhone is a product with gobs of new software on it. Surely, bugs will be scrubbed out over time, and many of these bugs will have security implications. Some iPhone supporters might point out that the iPhone is based on Mac OS X, and therefore isn't as worrisome as totally untried software would be. But a lot of the capabilities on the iPhone are being introduced for the first time, and the glue that links all of these applications together -- including the contact list, calendar, email and phone features -- is new. Security vulnerabilities are often found in a product's underpinnings, and if similar weaknesses are found in the iPhone, an attacker may be able to steal contacts or break phone connectivity.
- The iPhone is sexy. Researchers are already trying to make a name for themselves by finding flaws in the product and announcing them publicly. Expect to see a lot more of that in the near future, as the security community "breaks in" this newcomer.
- The iPhone is feature-rich. This gadget has more applications and functions than most other widespread cell phone technologies. Thus, there is more of a chance for interference with a user's life.
- As of this writing, the iPhone doesn't integrate with many enterprise email systems, although Apple has hinted that the incompatibility issues will be addressed very soon. Integration, however, might make users bend over backwards to exfiltrate their own email so that they can read their messages on the new device. The transfer could possibly short-circuit carefully secured enterprise email infrastructures.
Only time will tell, but I wholeheartedly think there will be a good number of iPhone security issues in the next six months or so. It's going to be a heck of a ride. But the product is so nifty that I did sign up for my seat on the roller coaster.
More information:
Shellcode has been published for Apple's iPhone. Learn how the device can be used as a pocket-sized attack platform.
An expert warns that the Apple iPhone will provoke complex mobile attacks.
|
