iPhone: Security Predators Salivating
Jul 9, 2007 9:08 AM PT
In the week or so since the iPhone has been on the market, hackers have
- discovered the root password for the device, which is "Alpine";
- found another password for the mobile user account, which is "Dottie"; and
- posted a workaround to the AT&T activation, so new owners can bypass AT&T's fees -- although they also bypass AT&T's wireless connectivity, turning their new device into the world's most expensive iPod.
The workaround, provided courtesy of "DVD Jon" is, at worst, a nuisance for AT&T and Apple. The discovery of the two passwords, which cannot be changed since they are hard-coded into the machine, is a more serious matter.
"Once hackers are able to dissect the firmware, they can come up will all kinds of avenues to get to the iPhone's kernel," Paul Henry, vice president of technology evangelism for Secure Computing, told MacNewsWorld.
Having the firmware posted online is a definite setback, Neel Mehta, team lead of the advanced research group at IBM's Internet Security Systems, told MacNewsWorld.
Also, prior to its release, no one knew what the iPhone's CPU (central processing unit) would be.
"There were guesses that it might be an Intel s86," Mehta said.
It turned out to be an ARM architecture, which is a departure from previous computing systems typically used by Apple, he said.
No Better, No Worse
That's the bad news. The good news, the consensus appears to be, is that despite those revelations, the iPhone is probably more secure than other smartphones on the market -- if for no other reason than it is still relatively new.
The risk trajectory, though, can be expected to rapidly increase over the coming weeks and months, although the damage will be limited because mobile malware is still too clunky to be deployed in a widespread fashion.
It is the ultimate irony, though, that the iPhone's introduction and wild popularity may well be leading mobile computing to the point where malware can spread far more easily.
In the Near Term
Another irony is that as that day approaches, smartphone users, in general, may have developed permanently deaf ears toward the dangers.
Over the next several weeks and months, security experts are bracing for a wave of exploits targeting the iPhone. These will be imaginative, inventive and largely benign. They will also be grossly overhyped, most expect, because of the iPhone's rock star status.
This spotlighting of risk is not necessarily a bad thing, assuming it doesn't drive iPhone users to tune out security news, said Lorcan Burke, CEO of AdaptiveMobile.
"I think security issues for smartphones and mobile users have been swept under the rug or ignored too much. By broadcasting potential threats against the iPhone it could bring greater awareness to mobile users," he told MacNewsWorld.
Bigger Spotlight, Bigger Crowd?
Burke expects to see more exploits like DVD Jon's make headlines in the coming weeks. "Bragging rights will be huge for the iPhone," he said.
Soon, though, the criminal enterprises will follow, just as they did with Internet-related activity.
"The biggest threat to the iPhone right now is its popularity," Mehta concludes. "Everyone -- for their own reasons or goals -- will be looking for security flaws."
A Mini-Computing Environment
Real risk to users will start to climb the longer the iPhone is on the market. Hackers -- both kiddie scripters and serious criminal enterprises -- will not be able to resist the iPhone's growing ecosystem, according to Mark Sunner, chief security analyst at MessageLabs.
"It is why there are so many more viruses targeting Windows, after all, than the Mac," he told MacNewsWorld. "It is quite telling that now that the iPod generation has come into the workforce, the number of threats against Mac OS X is increasing."
It is that ecosystem -- along with the fact that smartphones are finally moving toward a true, mini-computing environment -- that poses the greatest risk to users.
"The reason mobile malware has not occurred as much as had previously been expected is because the functionality available on phones has been very crude," Sunner said. "Now, though, it is getting to the point where phones are mini PCs -- and with that development comes increased vulnerability."
"My big concern is the data that is residing on these phones," Henry noted. "Most people have learned to be security-conscious with their computers, but they don't follow the same practices with their phones."
A mobile environment that is now conducive to a rapidly spreading virus, lax safety habits and a data-rich potential harvest -- some CEOs store information about upcoming earnings or other sensitive information on their smartphones -- can translate into disaster, he said.
"It certainly is a malware writer's dream, whether you own an iPhone or not."