http://news.com.com/2008-1029_3-6193430.html?part=rss&tag=2547-1_3-0-5&subj=news
Few people standing in line to buy an iPhone Friday will be focusing on the security of Apple's new phone. But some influential security researchers already have given the matter lots of thought.
Take Neel Mehta, a security expert at IBM's Internet Security Systems, which typically focuses on perimeter security for large corporations.
Overall, Mehta thinks the iPhone's security will be better than other smart phones on the market, and he credits the lack of a software developer kit (SDK) from Apple as a definite positive. The absence of an SDK will make writing malware much more challenging, he said, and inexperienced criminals will be scared off. "It doesn't make it impossible," Mehta said, "just harder."
Mehta thinks the iPhone will attract a more sophisticated criminal who's attracted to the challenge of hacking a complex system. Also, with Symbian OS-enabled phones currently occupying 40 to 50 percent of the world market, most petty thieves will still be drawn to the lower-hanging fruit.
In advance of iPhone's release, CNET News.com spoke to Mehta about the pros and cons of iPhone security.
Q: What is the biggest security threat to the iPhone?
Mehta: The number of eyes that will be drawn to the iPhone platform itself and all the applications that run on it, that's probably the biggest security risk for the iPhone itself in that it will be undergoing a tremendous amount of scrutiny, probably more so than any of these applications have seen before. In the end, we'll get a better understanding of how secure the entire code base is and how these applications withstand thousands of eyes looking at them.
Do you think some early adopters will be targeted by criminals online? Early iPhone users by definition are going to be wealthier than the average person. And for a criminal, there's bound to be payoff in stealing the personal data of someone like that.
Mehta: The people who are going to buy (the iPhone) are the people who have $500 to spend on a smart phone and are fairly technology savvy as well. Again, it's a phone and its also, from my understanding, being marketed in a consumer space, and has features that are much more attractive to consumers instead of businesses in terms of the ability to download and play media of all different types on it, and so on.
The iPhone is likely to be one of the most complex smart phones that we've seen to date. As such, it will be challenging to have to a completely secure code base.
So businesses will likely have employees that use it, but in terms of sanctioned IT use within an enterprise environment it's probably not going to be that common. It's always possible that there will be attackers who will launch sophisticated attacks against someone with an iPhone, but there are a lot of other mobile devices that are much more common within an enterprise environment, such as the BlackBerry for example, that are more interesting targets--at least in the short term.
You mentioned that the iPhone's being marketed as a consumer phone. That means there will be a lot of media-rich applications preinstalled. How will that affect the overall security of the device?
Mehta: You can look at it as a portable computing device, more so than any other mobile phone, in its traditional sense, so it is going to have to understand many different types of multimedia formats. It will be able to play audio, video, pull that content off the wireless network, or off a PC that it's connected to. It will also understand e-mail. It will contain, possibly, a full-featured version of Mac OS X, and so the complexity of the device makes it more challenging to secure.
We're seeing this with all the different smart-phone platforms--as they become more complex, have more features built into them, they also have more opportunities for hackers to break into them. The iPhone is likely to be one of the most complex smart phones that we've seen to date. As such, it will be challenging to have a completely secure code base?And so we'll likely see the need for updates for the iPhone as flaws are discovered.
Speaking of flaws, there have been a few exploits developed recently for Mac OS X vulnerabilities. Mac OS X is based on Unix. Isn't it likely, with the increased interest in Mac OS, that someone will start porting over existing Unix exploits and trying them against the Mac?
Mehta: Mac is based off or derived from BSD Unix. The OS X that's running on iPhone will most likely be derived from the same original code base. But, the one thing that will probably be a huge factor in how easy it is to port exploits over is the processor that's in the phone. At the moment we don't know for sure what that processor will be. If it's an Intel-based processor, then it will be very similar to the current generation of Mac computers. There probably won't be that much difficulty for attackers to port exploits from existing Mac platforms over to the iPhone.
But if it turns out to be an ARM processor, for example, that's different. ARM has the biggest share of the processor market for mobile devices. That may be something a little bit new for the people who have been writing exploits for the Unix environment or for the Mac computing devices. If there's a change in processor architecture, it may take them a little bit of time. It's something that attackers who are determined will overcome. I think that Apple has been very tight-lipped about the underlying processor that will be running on the iPhone. I suspect that we will find out on Friday. Before then we're just guessing.
Few people standing in line to buy an iPhone Friday will be focusing on the security of Apple's new phone. But some influential security researchers already have given the matter lots of thought.
Take Neel Mehta, a security expert at IBM's Internet Security Systems, which typically focuses on perimeter security for large corporations.
Overall, Mehta thinks the iPhone's security will be better than other smart phones on the market, and he credits the lack of a software developer kit (SDK) from Apple as a definite positive. The absence of an SDK will make writing malware much more challenging, he said, and inexperienced criminals will be scared off. "It doesn't make it impossible," Mehta said, "just harder."
Mehta thinks the iPhone will attract a more sophisticated criminal who's attracted to the challenge of hacking a complex system. Also, with Symbian OS-enabled phones currently occupying 40 to 50 percent of the world market, most petty thieves will still be drawn to the lower-hanging fruit.
In advance of iPhone's release, CNET News.com spoke to Mehta about the pros and cons of iPhone security.
Q: What is the biggest security threat to the iPhone?
Mehta: The number of eyes that will be drawn to the iPhone platform itself and all the applications that run on it, that's probably the biggest security risk for the iPhone itself in that it will be undergoing a tremendous amount of scrutiny, probably more so than any of these applications have seen before. In the end, we'll get a better understanding of how secure the entire code base is and how these applications withstand thousands of eyes looking at them.
Do you think some early adopters will be targeted by criminals online? Early iPhone users by definition are going to be wealthier than the average person. And for a criminal, there's bound to be payoff in stealing the personal data of someone like that.
Mehta: The people who are going to buy (the iPhone) are the people who have $500 to spend on a smart phone and are fairly technology savvy as well. Again, it's a phone and its also, from my understanding, being marketed in a consumer space, and has features that are much more attractive to consumers instead of businesses in terms of the ability to download and play media of all different types on it, and so on.
The iPhone is likely to be one of the most complex smart phones that we've seen to date. As such, it will be challenging to have to a completely secure code base.
So businesses will likely have employees that use it, but in terms of sanctioned IT use within an enterprise environment it's probably not going to be that common. It's always possible that there will be attackers who will launch sophisticated attacks against someone with an iPhone, but there are a lot of other mobile devices that are much more common within an enterprise environment, such as the BlackBerry for example, that are more interesting targets--at least in the short term.
You mentioned that the iPhone's being marketed as a consumer phone. That means there will be a lot of media-rich applications preinstalled. How will that affect the overall security of the device?
Mehta: You can look at it as a portable computing device, more so than any other mobile phone, in its traditional sense, so it is going to have to understand many different types of multimedia formats. It will be able to play audio, video, pull that content off the wireless network, or off a PC that it's connected to. It will also understand e-mail. It will contain, possibly, a full-featured version of Mac OS X, and so the complexity of the device makes it more challenging to secure.
We're seeing this with all the different smart-phone platforms--as they become more complex, have more features built into them, they also have more opportunities for hackers to break into them. The iPhone is likely to be one of the most complex smart phones that we've seen to date. As such, it will be challenging to have a completely secure code base?And so we'll likely see the need for updates for the iPhone as flaws are discovered.
Speaking of flaws, there have been a few exploits developed recently for Mac OS X vulnerabilities. Mac OS X is based on Unix. Isn't it likely, with the increased interest in Mac OS, that someone will start porting over existing Unix exploits and trying them against the Mac?
Mehta: Mac is based off or derived from BSD Unix. The OS X that's running on iPhone will most likely be derived from the same original code base. But, the one thing that will probably be a huge factor in how easy it is to port exploits over is the processor that's in the phone. At the moment we don't know for sure what that processor will be. If it's an Intel-based processor, then it will be very similar to the current generation of Mac computers. There probably won't be that much difficulty for attackers to port exploits from existing Mac platforms over to the iPhone.
But if it turns out to be an ARM processor, for example, that's different. ARM has the biggest share of the processor market for mobile devices. That may be something a little bit new for the people who have been writing exploits for the Unix environment or for the Mac computing devices. If there's a change in processor architecture, it may take them a little bit of time. It's something that attackers who are determined will overcome. I think that Apple has been very tight-lipped about the underlying processor that will be running on the iPhone. I suspect that we will find out on Friday. Before then we're just guessing.