A significant cottage industry has sprung up among experts debating whether Apple's iPhone should be sanctioned by IT departments for use in the enterprise. Last week, various sites and publications -- including internetnews.com -- reported that the first hack has arrived.
The US Computer Emergency Response Team (US-CERT) issued a warning that a bogus upgrade is wending its way around the Internet. "iPhone firmware 1.1.3 prep" claims to be a necessary precursor for 1.1.3 firmware. The bottom line is that the Trojan can overwrite some utilities but that it isn't too dangerous.
The fact that this Trojan is more nuisance than threat is only marginally good news. It's possible this is a proof-of-concept exploit. Crackers often engage in what in essence are dry runs to prove that an attack is viable. The fear is hackers may be experimenting and gathering research that will increase the dangers of a more malicious attack in the near future.
It is clear at least one writer -- the author of this piece at Web Worker Daily -- thinks that the iPhone should be left on the dresser in the morning. She offers several reasons that the device isn't a good corporate tool. Security plays into two of them. iPhones don't encrypt, she says. She implies that the device lacks the IT controls to compel users to create passwords. Devices that go missing are a serious problem, the writer says, because they can't be locked (made into iPaperweights) or remotely wiped clean of data.
People are paying more attention to iPhone security. The SANS Institute has released the top potential threats for 2008. Number four on the list (though it isn't clear if the results are listed in order of importance) are threats against mobile phones. The organization singles out two platforms -- Android and the iPhone -- as particularly attractive targets. The rationale is already familiar: Mobile phones are getting more powerful and popular, so they will attract hackers and crackers.
This is a frightening story about iPhone security. Fast Company retained a UNIX specialist to try to hack the phone. The consultant used Metasploit, a well known program, to take complete control of the phone. (A link to a scary video is included.) This can be done remotely -- over Wi-Fi or Enhanced Data rates for GSM Evolution (EDGE) -- or if the cracker has physical access to the machine. The story makes the point that the iPhone is particularly vulnerable because all the applications run as root, which means hacking any applications provides access to the entire device. The story suggests that the company may have taken this dangerous shortcut because it was rushing to get the phone on the market.
This ComputerWorld story isn't about iPhone security -- exactly. But it's close. The running battle between iPhone hackers and Apple is over whether the phone will remain locked -- usable only on AT&T's network -- and unable to run third party applications against Apple's wishes. The hackers devise ways to unlock the phones and use the apps, and Apple releases an update to squelch the initiatives. Indeed, the 1.1.3 prep hack attempts to exploit one such update. The point is that this parry and thrust ensures that a tremendous number of smart people, many of whom aren't necessarily averse to breaking the rules, are working extensively with the iPhone. It is hard to image that they are not learning a lot about how to break into the devices.