iPhone security in the enterprise: Mitigating the risks

Since its flashy launch in June 2007, the Apple iPhone has certainly garnered a great deal of buzz. Almost immediately, hackers searched for exploitable flaws in the product, and they weren't disappointed. In this tip, Ed Skoudis examines iPhone-specific attacks and reveals how organizations can limit their exposure as the popular devices infiltrate the enterprise.

Propelled by an alluring user interface, gobs of features, and an unparalleled marketing blitz, the iPhone, launched in June 2007, sold more than a million units in its first three months. Surveys of early adopters show huge favorability numbers, but the iPhone, like many mobile devices, introduces some serious security risks for individuals and enterprises.

iPhone attack vectors
Ambitious hackers have already discovered a number of ways to infiltrate the iPhone. One attack exploits its own software to run an attacker's code. Soon after the phone's release, vulnerability research company Independent Security Evaluators announced that it had discovered a heap-overflow vulnerability in the iPhone's Safari Web browser. Apple quickly patched the Safari flaw, but others have been discovered.

Listen to Ed Skoudis' tip

Download the author's iPhone security advice to your PC or favorite MP3 player.

Another exploit, detailed by Metasploit creator HD Moore, takes advantage of the way iPhone apps process TIFF images, potentially enabling an attacker to gain remote command shell access to the device. Since all iPhone applications run with root privileges, this opens up the possibility for attackers to exploit vulnerabilities and run evil code with superuser rights.

On a targeted iPhone, an attacker's code could plunder the sensitive information it stores, including contact names, phone numbers, calendars, email, browser history and notes. If that iPhone is also used for business, an attacker could extract sensitive enterprise secrets as well.

An exploited iPhone could even become the ultimate spying device. Although none has been released (yet), iPhone spyware could potentially turn on the speakerphone to act as a remote audio bug, activate the built-in camera to take pictures, and even check the built-in accelerometer to get a feel for when the iPhone is being handled by its user.

The iPhone could also be a vehicle for self-replicating malware. Flaw-targeting worms could spread via Wi-Fi, cellphone EDGE networks, or possibly Bluetooth, all networking options supported by the iPhone. Virulent worms could jump from Web sites, mail servers, or even other iPhones to the popular device.

Sniffing attacks are also a threat. With the relatively slow speed of AT&T's EDGE network, many iPhone users automatically jump on the nearest Wi-Fi network to surf the Internet. But, without encrypted access, an attacker can easily snarf sensitive data, including Web pages and possibly unencrypted email account passwords.

And, don't forget about physical theft! Because most users do not define a security PIN for their iPhones, anyone with just a few minutes access to the device can pull up some juicy secrets.

Enterprise iPhone management
Unfortunately, there are no enterprise management tools for the iPhone, forcing organizations to rely on individual phone users to maintain their devices. Worse yet, there are no official, iPhone-specific third-party security products, such as antivirus or host-based intrusion prevention systems (HIPS). Even though a lively development community has managed to alter iPhone software and install third-party apps, they have accomplished this work by hacking the iPhone, effectively using attacker techniques to bypass its built-in software controls.

Even if an independent group released tools to improve iPhone security, Apple's next software patch would blow away any user changes. Although Apple has promised an iPhone Software Developer Kit for third-party applications in early 2008, it's not clear what functionality it will support and whether any vendor will step up to provide device security. Apple has hinted that the functionality of official third-party software running on the iPhone will be seriously restricted as well.

Enterprise iPhone security solutions
In environments with strict security requirements, an outright iPhone ban is worth considering. With users clamoring for the fancy new features, however, such restrictions may simply not be an option.

For more information

Security experts are encouraged by Apple's iPhone security strategy, but say the device's popularity makes it a prime target for hackers seeking prestige.

While it won't be the first choice of many enterprises, a group of industry analysts say that the Apple iPhone could have a positive impact on future devices.

Are iPhone security risks different than those of other mobile devices? Ed Skoudis tackles an iPhone user's security question.

If an iPhone ban is a no-go, start off with user awareness training. Tell employees to set a PIN for iPhone access, using an Auto-Lock time of five minutes. Yes, this four-digit code must be entered to access the phone, but it significantly improves security against physical theft.

Also, explain to users the risk of sending sensitive data across Wi-Fi networks, especially unencrypted Wi-Fi. As with other mobile devices, tell users to avoid unknown access points. Let your iPhone users know, too, about the importance of keeping their phones patched. You might want to establish an internal mailing list that alerts users with patch updates and instructions.

Finally, if users are going to rely on their iPhones for business email, make sure you establish an email infrastructure that supports the device securely. A corporate VPN or SSH client can't be installed on the iPhone without a really ugly hack – one that will be rolled back by the next iPhone patch update.

For secure email, Outlook Web Access (OWA) or Lotus Domino Web Access can be used through the iPhone's Web browser. Although the Web-based portals securely pass authentication information via SSL, they're extremely difficult to work with on the small iPhone screen. Still, this route requires zero additional deployment if you are already relying on OWA or Domino Web Access.

In a more iPhone-centric, infrastructure-tweaking option, it's possible to migrate iPhone user email accounts to an appropriately configured mail server. The server, however, must support either POP or IMAP. The built-in iPhone Microsoft Exchange option is also based on IMAP. Using IMAP allows all email to be either downloaded or left on the server, a choice not supported by POP, which only downloads mail.

Default IMAP and POP access on the iPhone uses SSL for encryption. Unfortunately, a user can easily override the iPhone's SSL default option if the mail server supports non-SSL access. Thus, configure your mail server to allow POP or IMAP access only via SSL, denying any non-SSL requests and thus protecting email confidentiality.

The iPhone supports a variety of authentication types for both POP and IMAP, including passwords, MD5 Challenge-Response, NTLM, and HTTP MD5 Digest. Choose any of these options supported by your mail server --- except for the password option. Even with an SSL connection, an attacker could set up an impersonator mail server to trick the client into revealing the password. For outbound mail, the iPhone also supports SMTP, which again should be configured with SSL.

None of these defenses is comprehensive. You'll still need to rely on updates from Apple to keep the iPhone secure as new threats emerge. But keep in mind that even with the steps described above, it's not possible to fully prevent the security risks that come with having iPhone users in your enterprise, so proceed with caution.

About the author:
Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to information security threats.

Next Steps

Learn what's new in Apple's iPhone 7

This was last published in November 2007

Dig Deeper on BYOD and mobile device security best practices