Patching is too important to be neglected
The iPhone may be the must-have gadget of the moment, but it also offers a whole new attack platform.
Apple has a long and interesting history in the computer business. In their early years, Apple computers were works of technical wizardry. I still remember alternating between complete confusion and awestruck admiration when repairing the original Apple II machines.
Then came the more familiar Macintosh systems, evolved from the earlier Lisa, offering a groundbreaking level of user friendliness. Yes, Xerox was there first, but not in the consumer market. Apple gave Microsoft a good kick up the backside and into the world of Windows, for better or worse.
In recent years, Apple has combined the techie appeal of Unix with the "ooh, nice" look-and-feel graphical world, the result being OSX. Apple's skill at combining technology with good design is evident from the moment you open one of their boxes; no other vendor seems to inspire its customers to upload photo sequences of the unboxing process.
The latest release from Apple, the iPhone, is set to give the mobile phone industry the same sort of kick. The user interface is both beautiful and functional, and is a real step away from the traditional clunkiness associated with small devices. The iPhone is one of those classic products with an immediate visceral appeal, and its technology is almost as appealing as its glossy styling. Like OSX, it appeals to both the hardcore techie and the computer novice alike.
From a security perspective the prospect of a fully functioning Unix-based phone is appealing. Offering that rare combination of style and technical capabilities, the iPhone will be top of the Christmas list for many security professionals. There are already moves to port the Metasploit toolkit to the iPhone and its phoneless cousin, the iPod Touch. Penetration testers are no doubt working on business cases through the night.
There is, of course, a downside. For a product with such a sophisticated front end there are some strange design choices underneath, particularly from a security standpoint. First, everything runs as root, the Unix superuser, with unrestricted access to the system. This is a bit like going back to the days of Windows 95; argue all you like about the security of Unix versus Windows, but if you have administrator access in either, all bets are off.
Then there's the rather poor quality control of the released software build. Hackers have rejoiced in Apple's use of a version of a graphics library with a one-year old vulnerability, as it has allowed them to "unlock" the iPhone and install their own applications.
But the same bug could be used for malicious purposes. This wouldn't be quite so bad if it were a one-off, but the furore at the recent BlackHat conference involved a similar flaw in one of the libraries used by the Safari web browser. Apple seems to be somewhat slow at upgrading its software components in OSX too, see tinyurl.com/2nsbk5 for full details.
It has been suggested that leaving in such backdoors was a deliberate act to allow third-party software. This theory doesn't withstand much scrutiny. Apple has no particular need to lock out third parties from the main software build. If it genuinely wanted to allow access to other developers, there would be no need to be covert about it.
Locking out applications from other sources also prevents security software vendors from adding protection. Apple is now backpedaling and talking about a software development kit for early next year, ironically citing security concerns as the reason for the delay. Product release first, security concerns later. Hardly reassuring.
The iPhone seems sure to be a commercial success, which means that soon there will be thousands of Unix boxes sat in the pockets of security-naive users. All the more reason to err on the side of paranoia for the device's security, but unfortunately the opposite seems to be true.
The combination of a sophisticated Unix platform and the revenue-generating potential of a mobile phone is no doubt tempting many malware authors. Still, it remains to be seen how long I can resist buying one ...
- Nick Barron is a security consultant. He can be contacted at firstname.lastname@example.org.