Matasano Does Not Care About iPhone Security

Dave G. | June 20th, 2007 | Filed Under: Apple, Industry Punditry

The fear mongering stories about the iPhone are beginning to pour in. From exploits to execs storing critical data on it, everyone is talking about how the iPhone is going to be the next security nightmare.

Every device that walks into your organization is just another way for data to leave. Laptops, iPods, cell phones, PDAs and even the dreaded Furby have all gone through this same set of concerns.

Yes, somewhere deep inside of every enterprise is a small team of people that have to worry about data management. And yes, everytime something like this comes out, they have to write a bunch of policy blocking it. And then they have to start relaxing that policy as the devices become commonplace.

If you are responsible for keeping data inside of your organization, for the love of everything that is holy, please don’t spend too much time on the iPhone. Allow us to remind you about all of the data breaches that are happening thanks to insecure wireless access points, tape backups disappearing, wrapping your newspapers in customers’ personal financial information, and stolen laptops.

Will the iPhone compound this problem? Slightly.
Will researchers attack the iPhone? You bet.
Will attackers spend a lot of time trying to steal data off of an iPhone? I doubt it.
Will someone run Linux on the iPhone? Sadly, yes.

The person that spends 500$ on their phone will protect it more than the laptop you issued them.

Viewing 18 Comments

    • ^
    • v
    "The person that spends 500$ on their phone will protect it more than the laptop you issued them"

    Isn't that the truth!
    • ^
    • v
    I don't know, Matasano.

    Linksys hasn't had a great reputation in the past for security. Didn't they ship a router with an administrator default password... twice? Didn't they allow access to their underlying Linux OS via TTCP? Weren't they the ones that allowed simple CSRF to change passwords?

    And don't forget about DNS hijacking - sorry "Pharming" - although DNSSEC would prevent that, mind you.

    Yeah. The Linksys iPhone is bound to be one of the WORST security problems the world has ever seen. Predicted here first.
    • ^
    • v
    @dre
    Hm sorry to point out to you they are not talking about linksys IPhone(which no one cares about) but a new phone by Apple.
    http://www.apple.com/iphone/
    @Dave G:
    How come you say sadly someone will run Linux in it ? Having someone port a version of linux would be something wonderfull, I bet that apple placed many silly software restrictions in it, just as it did in Apple TV, and the ipods, having some piece of software that can actually exploit the hardware full capacity is not sad.
    • ^
    • v
    "The person that spends 500$ on their phone will protect it more than the laptop you issued them."

    LOL - so true.
    • ^
    • v
    Finally some sense. the iPhone is not even on my radar (well I do plan on buying one) and it shouldn't until after its released. Out of the risks that we have to manage - its just not high on the list. But that won't stop pundits trying to improve their click-through but releasing FUD.
    • ^
    • v
    It's sad that they'll have to, I guess.

    I was rather excited when I first saw the specs for these things - not that I'm about to spend 500 USD on a phone. But, there I was imagining all sorts of useful OS X tools could get ported to the iPhone - especially wireless tools. Now we get the lovely news that if it can't be implemented in AJAX, it ain't coming to an iPhone near you. Bleagh.

    Incidentally, was the thing about the Linksys a joke? I think they're just coming out with the thing because they have to retain a semblance of using the trademark on the name "Iphone", which Cisco had been sitting on silently for some time until Apple made their announcement.
    • ^
    • v
    That wasn't very clear - I meant it's sad that people will have to port Linux to the iPhone, in order to get full access to the hardware they've put out good money for.
    • ^
    • v
    Dre was clearly trying to wind people up, and he succeeded. Nice job, Dave, talking sense on this issue. I was asked by a reporter to comment on your blog post (!) and on Andrew's (nCircle), and frankly I think this whole issue is a tempest in a teapot. Show me a phone that implements all of Andrew's wished-for security features, and I'll show you one that doesn't exist. CLEARLY any phone that doesn't have "electromagnetic analysis countermeasures" isn't ready for the enterprise.
    • ^
    • v
    There have been many other very successful hand held/phone platforms in the past and none of them have been the security nightmare everyone talks them up to be. iPhone will be no different. Perhaps a POC here and there but nothing ground-breaking
    • ^
    • v
    iPhone == status symbol
    theft == crime of opportunity
    stolen iPhone == factory reset & sold on eBay

    Also:
    http://www.theonion.com/content/infograph/apple...
    • ^
    • v
    @Andrew CLEARLY any phone that doesn’t have “electromagnetic analysis countermeasures” isn’t ready for the enterprise

    So you're suggesting that enterprises use cell phones with a local switching gateway inside of a giant copper-shielded orb surrounded by white noise generators?

    It's not all about security, is it? It's about a level of assurance good enough to prevent your mom's credit card number from getting stolen off the phone while she buys Snoop Dog's latest iTunes music video.

    @dragonfrog Now we get the lovely news that if it can’t be implemented in AJAX, it ain’t coming to an iPhone near you

    DOM-based XSS is going to be a primary vector of attack for the iPhone? So what?! It's already a primary vector of attack for everything! I am starting to wonder why Matasano doesn't care about this sort of security, as it's probably one of the biggest and most critical issues we need to address. Sure, it's not specific to the iPhone, but cross-operating system, cross-browser botnets based on browser technology should scare the beejeezus out of everybody. That's exactly the type of stuff that is worth talking about.

    @ChrisR There have been many other very successful hand held/phone platforms in the past and none of them have been the security nightmare everyone talks them up to be. iPhone will be no different. Perhaps a POC here and there but nothing ground-breaking

    You didn't read the latest SecurityFocus interview with Barnaby Jack, but that's ok - I'll summarize: null ptr exceptions should scare you. Again. No, really - this time. I'm not kidding.

    Ok I am kidding. Nobody with a brain (see: intelligent adversary) attacks platforms anymore. Web applications make it so that platforms, OSes, and fat apps don't even really need to be attacked. They're already owned when a user opens a browser and clicks on his/her first or second link.

    Embedded devices are under attack, but in a very different way. I wasn't kidding when I was talking about Linksys earlier. According to the Illuminati (the CoralCDN study (*), not the conspiracy theory), 73% of browsers are behind a NAT. But of those NAT's only 1 or 2 hosts exist behind them. So under a large Javascript browser attack such as an XSS worm, a very successful adversary/adversaries would be able to perform a Jikto style attack (i.e. Intranet port scanning with HTML or Javascript) against a bunch of ...

    you guessed it... Linksys routers. And what web vulnerabilties exist in these toy devices? CSRF's to change the passwords. And what can you do when you change the passwords? Change the Linksys configuration. And what in the Linksys configuration is interesting enough to change that most users wouldn't notice? DNS settings. And what can you do with DNS hijacking? Create a persistent botnet through chains of XSS proxies. And what can you do with botnets? Steal identities, credit cards, stay anonymous, and attack anything you want from the privacy of some other guy's browser.

    Sorry that I set all of you up for this giant cluestick. But there you have it. Enjoy

    (*) http://illuminati.coralcdn.org/stats/
    • ^
    • v
    @dre

    Actually, I did read the presentation/interview with Barnaby, but thanks for assuming. Please tell me why we need to be 'more' scared over hand held platforms security now that theres a new public way to exploit NULL ptr derefs on certain architectures? The biggest nightmare with these devices has been, and will continue to be, data leakage by slow witted employees, not NULL ptr deref's
    • ^
    • v
    Please tell me why we need to be ‘more’ scared over hand held platforms security now that theres a new public way to exploit NULL ptr derefs on certain architectures?

    We shouldn't; I was joking: "Ok I am kidding. Nobody with a brain (see: intelligent adversary) attacks platforms anymore". Intelligent adversaries are going to come up with much better ideas to create and maintain botnets. They don't need to own the platform. All they need is control of a clientside application, or a least a small part of it (e.g. mhtml, javascript, et al) and a way to ensure continual re-injection.
    • ^
    • v
    Actually, the iPhone could be a huge security risk... Since you can't run middleware applications on it, you *have* to have a world-facing server if you want to make a "webapp" that accesses company data. And from all appearances, the iPhone doesn't support VPN so you cannot restrict said world-facing server to specific IPs on the local network.

    So the issue is that if companies make such webapps, how do they properly restrict the access?
    • ^
    • v
    I had the same thought when Jon Gruber posted a comment saying that "of course corporate users can tunnel their mail through Yahoo Mail". I presume no PGP support for the iPhone is forthcoming.
    • ^
    • v
    BTW - my list, though I agree may come off sounding a little far fetched, is actually just a subset of the security features of a RIM device...yes even including the “electromagnetic analysis countermeasures”.

    I didn't make it up, its really in their PDF...seriously, I'm not really that much of a staunch bastard trying to pick on Apple.

    I also found it interesting that an eweek reporter got MS to answer the questions WRT to Windows Mobile.

    http://www.eweek.com/article2/0,1895,2149610,00...
    • ^
    • v
    Mate.
    Take a deep breath, relax and sit down.

    Policy's are written these days to be very broad, taking the stance of stating whats allowed and explicitly denying everything else.

    In a controlled environment the iPhone should not pose any great threat that haven't been mentioned in the last couple of years.
    • ^
    • v
    Haha, it is interesting that you refer back to Furby's, We had this very problem in a office where I was stationed with the USAF years ago, before I arrived. They were removed the because one day some personnel came to the office and they were talking about project/financial data to eachother (about 12 of them).

    Anyways, regarding the iPhone security hype, I would have to agree and I think SpaceRogue summed it in his articles last year, http://www.spacerogue.net/wordpress/?p=35 and http://www.spacerogue.net/wordpress/?p=36 . Keep writing!

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus