Mobile Security: Why I Still Want an IPad, IPhone
Everything I've learned about mobile security tells me it's bad to use the consumer-based technology for work. That's where all the bad stuff comes from. That includes devices like the iPhone and iPad.
The Apple Army, a group of people that reminds me of a more fanatical, less forgiving version of the KISS Army (even the KISS Army will tell you the band's disco album should be burned) will tell you Apple products are superior to all the rest from a security standpoint. Apple products don't get malware infections and users need not worry about their data falling into evil hands, the Apple Army tells me. That stuff only happens in the Windows universe.
But I've seen enough from the security research community to know better.
The most sobering example for me, perhaps, came from Trevor Hawthorn, founder and managing principal at Stratum Security, who shared research on the iPhone's weaknesses at the most recent ShmooCon security conference.
He demonstrated, for example, how the bad guys could exploit security holes (since fixed) in AT&T's network, which Apple's iPhone uses, and how an epidemic of "jailbreaking" is disabling critical security controls on the device. Jailbreaking is a process iPhone and iPod Touch users can exploit to run whatever code they want on the device, whether it's authorized by Apple or not. Jailbreaking the phone allows you to download a variety of apps you couldn't get in the Apple App Store. For those who hate Apple's heavy hand and welcome any method to thumb a nose at the company's decrees, jailbreaking is very attractive. But there's a problem, Hawthorn said. A big one.
"Jailbreaking wipes away 80 percent of the iPhone's security controls," he said. "Since nearly 7 percent of all iPhones are jailbroken," the bad guys have plenty of targets to choose from.
There are the recent warnings I've heard about the iPad, including this from Forrester Research's CSO blog:
"Even though the iPad is barely birthed, there is already a push to provide payment applications for the device. It's time to pull the emergency brake on this trend. Are these applications PA-DSS certified? Do they have swipe devices with crypto hardware built-in? Has the Pin Entry Device been rigorously tested and meet all the PIN Transaction Security Guidelines? There are so many things consumers should know about the security of these new methods of payments before they allow their credit card to be captured by an iPad or iPhone."
And then there's the fact that bad things have already happened, most notably the case -- now under investigation by the FBI -- where hackers from a group called Goatse obtained the e-mail addresses of an estimated 114,000 Apple iPad users by uncovering a Web application on AT&T's Web site that returned an iPad user's e-mail address when it was sent specially written queries. As my colleague Robert McMillan wrote, after writing an automated script to repeatedly query the site, they downloaded the addresses and then handed them over to Gawker.com.
Here's the thing:
Despite all this bad stuff, I want an iPhone and maybe an iPad later on. And I want them so I can work more efficiently. It's what security experts might call a classic case of choosing usability over security.
Guilty as charged, assuming I WILL be charged by some of my friends in the industry.
I'm drawn to the ability to drag images around on a small screen with my finger and access work-related websites that will show up in a much more easy to read fashion than they do on my BlackBerry Curve. Since I travel to a lot of security conferences, I'm smitten with the idea of leaving my clunky laptop behind and writing off of more light-weight devices. I've heard that the touch-screen keypad is still not ready for prime time in that regard, but I think they will be sooner rather than later.
But those security issues: Oh, those security issues.
Does my craving for these consumer toys make me a hypocrite? I've written quite a bit about the security dangers of smartphones and mobile devices in general, after all.
Perhaps. But I've also learned something else about security over the years.
As buggy as these devices may be, security incidents are always about more than just the vulnerabilities the attackers exploited.
There's always the part about the corporate IT network that was so badly configured the bad guys could easily take advantage of them even without all those software holes. And there are the users who cause problems even on fully patched, ironclad machines because they so easily fall for social engineering tricks. [You can see some examples in Social engineering techniques: 4 ways criminal outsiders get inside.]
Surely, I've learned enough from the leaders of information security to avoid the social engineering traps, at least.
I hope so.
Because I want an iPhone. And an iPad.
In the interest of gaining the full understanding of what I'm dealing with, I've been asking experts for their thoughts on whether it's possible to use these devices securely in the enterprise. I'm getting a lot of mixed responses. But one thing everyone agrees on is that companies can't ban these devices forever. It's like social networking. It's become too big to avoid. So companies may as well figure out how to use them safely.
I'll be writing that article next week. In the meantime, feel free to shoot me some feedback at firstname.lastname@example.org or BillBrenner70 on Twitter. If you think I'm out of my mind, tell me so. I can take it.