IPhone security: Nightmare for IT or no big deal?

IPhone security: Nightmare for IT or no big deal?

Apple Inc.'s iPhone will prove to be a security nightmare to corporate IT when it debuts Friday. Or it may fuel a surge in mobile malware. Or it won't change the security landscape one whit. Take your pick, said security researchers and analysts today.

With details still unclear -- Apple has said next to nothing about iPhone security -- it's no wonder that the device's vulnerabilities are in the eye of the beholder, even if those beholders are professionals who make their living researching vulnerabilities and blocking exploits.

"It's a nightmare for security teams," said Andrew Storms, director of security operations at nCircle Network Security Inc. "What I'm afraid of is that enterprises are going to get pressure from, say, sales, to bring this in. And even if it's not approved, people will try to connect it to their corporate networks. It has no place in the enterprise."

Storm's problem with the iPhone stems from the lack of a security management tool that could enforce company policies about which devices connect to the network and when. "There are no central management tools. If there was a product that integrated with [Mac] OS X Server, it would be a totally different story," said Storms. "Apple has been quiet about enterprise security, so we have to expect and plan for the worst."

Neel Mehta, team lead for Internet Security Systems Inc.'s advanced research group, agreed -- up to a point.

"All the press around the iPhone makes it a very enticing target for hackers," said Mehta, who has forecast malware aimed at the new device will be developed in the near future. "The fact that it runs Mac OS X means that there is a good possibility that vulnerabilities found on the OS will also affect the iPhone. [Hackers] may be able to port the hacks they find on one to the other."

But Mehta also said he sees an upside to iPhone security. One likely boon: the omission of an software developer's kit for the phone. The decision to forgo an SDK and instead force application writers to deliver software and services through the embedded Safari browser may have disappointed developers, but it got a thumbs-up from Mehta.

"The lack of an SDK will limit the development of viruses and worms," he argued. "Without one, it's going to be very challenging [for anyone] to run any software on the iPhone."

And even if malware authors manage to overcome the difficulty, Mehta doesn't expect the iPhone's world to come crashing down -- at least not right away. "I think we'll begin to see attempted exploits, if they do appear, very quickly after the iPhone launch," he said. "It will probably be more attractive as a research target than an exploit target, because the market share just won't be comparable to other platforms for a long time to come."

David Goldsmith, one of the principals at security consultancy Matasano Security, and a co-founder of @stake Inc., downplayed potential iPhone security issues even more so than Mehta. There are much more important things to worry about, he said.

"If you are responsible for keeping data inside of your organization, for the love of everything that is holy, please don't spend too much time on the iPhone," Goldsmith said in a posting to the Matasano blog last week. "Allow us to remind you about all of the data breaches that are happening thanks to insecure wireless access points, tape backups disappearing, wrapping your newspapers in customers' personal financial information and stolen laptops."

Exactly, agreed Andrew Jaquith, an analyst with the Yankee Group Research Inc. Calling Storms' nightmare scenario "scare-mongering," Jaquith went on to say that "Andrew misses the broader point that consumer technologies are invading the enterprise. Instead of getting IT groups riled up over issues that frankly haven't been solved by any device, no matter how 'enterprise grade' it might be, he would be better served thinking about how to accommodate the iPhone."

Storms wouldn't go that far, but he did acknowledge that fighting the iPhone could be futile. "Enterprises have to get ahead of it," he said. "Remind users that it's not approved, but let people know that you're going to continue to look at it."

Mehta, more in line with Jaquith's advice, said a ban wouldn't work. "The iPhone poses the same risks as any other device connected to the network. It's going to be very hard to control [who uses it], so the best thing to do is take the defense-in-depth approach."

They're all just whistling in the dark for now, of course, and unless Apple spills more security details between now and Friday, that's the way it will remain for the week -- which is what drove Jaquith to the edge.

"Stating that, sight unseen, the iPhone has 'no place in the enterprise?' Give me a break."

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.



Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments