iPhone Security Myths Busted

I know what your thinking, “Not more iPhone! Enough Already!” yeah, I know me to, but seriously there is just to much FUD floating around out there. FUD from reputable places such as Gartner. Well, OK maybe not that reputable but people still listen to them for some reason. They released a white paper last week telling IT Managers to avoid iPhone because it is insecure. What a load of rubbish.

The big complaints seem to be USB, IMAP and WiFi. Actuallly there is a lot more FUD floating around other than just that but I’m just going to focus on the security complaints.

Evidently the fear with USB is two fold, one that users can steal company secrets and two that users will fill up their machines with iTunes music. USB thumb drives and MP3 players have been around for, I don’t know, a long time now. USB mass storage devices can be disabled on both Windows and MacOS. If your IT department hasn’t figure out that these are threats by now you have much bigger problems than an iPhone.

For some reason WiFi is suddenly a new threat, or I guess it is only a threat when it is integrated into iPhone. How is this any different than a WiFi enabled laptop? As long as iPhone supports standard encryption protocols like WPA it is no better or worse off than a roaming laptop, at least for protecting your data in transit over the airwaves. For data stored on the device that is another issue. It is unknown if iPhone has a firewall of any sort to protect it from WiFi attacts. However, considering that iPhone is based on OSX which has a firewall built-in it is a pretty good bet that iPhone will have one as well.

OK, so now we have proper mass storage device controls in place, we have encrypted our WiFi and turned on the firewall what else could possibly be an issue? What’s that? email you say? Simple IMAP? IMAP is a security issue? Since when? Oh, I see your just so used to using MS Exchange and RIMs Blackberry Enterprise server you don’t know how to use anything else. Oh, by the way, MS Exchange supports IMAP. Of course you don’t get all the funky features with IMAP that you get with Exchange/Blackberry like being able to revoke all of a users email when you fire them. I suspect Apple will have some interesting iPhone features inside of Mac OSX.5 Leapord later this year.

About the only security questions I have with iPhone is wether or not it supports IMAP over SSL. or IMAPS. Considering that the iPhone has Safari built in I suspect that support for SSL will be included.

There are even some security features that will probably be in iPhone that haven’t been announced yet. Quick and easy firmware updates. You probably didn’t even realize it but iTunes will update your iPod firmware automagically with just the click of a button. It will be just the same with iPhone. If a problem develops Apple will just release a firmware patch that will automagicallly get applied the next time the user syncs. When was the last time you updated the firmware on your cell phone? Ever try to even look for a firmware update for your phone?

iPhone will run a modified version of OSX. That will likely include some form of FileVault, Apple’s encryption technology for user files. Thats right, encryption built right in. This hasn’t been announced and it might not be in there, but if the technology and the code already exist why not put it in?

iPhone looks to be just about as secure or even more so (no propritary and closed backend) than a Balckberry, Treo, or Blackjack. Everyone saying otherwise is either a paid MS schill, astroturfing, or just plain idiots.

Anti-Forensic Tools Evolving

Interesting article over at CIO about the current state of anti-forensic software. It talks about specific tools like Timestomp, Slacker, Sam Juicer, Data Mule and others whose sole goal in life is to frustrate the forensic analyzer and make it difficult for forensic tools like EnCase and others used by law enforcement. After reading this article you have to wonder if it is just a matter of bad guys (hax0rs) versus good guys (the p0-p0) or is it really just hacking tool versus forensic tool. A subtle but hugely important distinction.
Lets face it, most so called ‘hax0rs’ are nothing more than push button script kiddies running prepackaged tools against known vulnerabilities. Most forensic analysts spend $5,000 or so for a week long ‘ethical hacking’ course that teaches them how to be push button script kiddies running prepackaged tools against the afore mentioned script kiddies. He with the best tools wins. Which makes this really about the push button tools and not the hax0rs or the p0-p0.
The tools will obviously continue to evolve and one-up each other and the ‘hax0rs’ and the ‘experts’ will continue to push buttons. While the real hackers, researchers and analyzers will keep advancing the state of the art. (Personally I am waiting for that file system built inside the swap space.)