Staff pleas to roll out iPhones for remote email should be resisted. Apple's flagship is not yet robust enough.
Apple products have a reputation for being more secure than those from Microsoft. This has to be an urban myth, perpetuated by the mavens who rave on about their cool Apple kit.
Granted, the integration of Apple hardware with the operating system and applications is phenomenal, but this doesn't make them any more secure. Joe Public is thus lulled into a false sense of security. Fifty vulnerabilities patched in a roll-up released on 16 February underline this. Even worse, Apple has done a spectacular job of ignoring a number of researchers who submitted new vulnerabilities privately. In some cases, it took seven months to deliver a patch. Talk about zero day.
IT managers are being nagged by gadget-hungry staff to roll out iPhones for remote email. Great bit of kit, but it is by no means ready for adoption by corporates just yet. BlackBerry and Windows Mobile devices have their problems, but their security model is far more robust and manageable.
The BlackBerry has even been approved by CESG for use in government environments containing protectively marked material. That's no mean feat.
Our team of over 100 gadget-mad penetration testers has been pulling apart iPhones for a while, but it was one of the simplest issues that shocked me most. Consider the following – it doesn't even count as a “vulnerability”.
In the UK, O2 offers iPhones free access to BT OpenZone wireless access points. It's logical, as it costs O2 less to pass data over wireless than 3G. Wireless clients on the iPhone, such as Windows, will cache that association and “probe” for the AP whenever the client is enabled. Hence, many iPhones will be probing for that AP SSID.
Using a tool such as Karma, you can fake an OpenZone access point in the vicinity of the iPhone, to which it blindly joins. If being used for Exchange email, the iPhone will try to connect to an OMA web server, using SSL.
Once you have control of the access point, then you can run a “man in the middle” (MITM) attack, fake an SSL certificate and present it to the iPhone.
Here's the problem: the alert on the handset about the invalid certificate is so weak (accept/cancel) that the majority of users will simply accept. So the iPhone sends you its email credentials. In the case of Exchange sync, it sends its domain credentials.
This happens all because the SSL certificate alert was poor. Consider the popular web browsers. IE strongly advises against accepting an invalid certificate; Firefox makes it even harder. Yet the iPhone makes it comically easy for a non-tech-savvy user to send a hacker their domain creds.
Worse still, that certificate is cached permanently, so future attempts to attack that phone generate no alert at all. Nor is there any opportunity to inspect the certificate.
The faked certificate can also be populated with valid host information during the MITM attack, further validating its appearance to the users.
We've run the attack several times in the lab, though I would love to have a crack at this on the London Underground. Can you see it on one of the deep tube lines? Offer a fake wireless access point, watch all the iPhone users go “oh, there's wireless on the Tube now” and behold, they promptly send you their credentials...
It's not just iPhones that have problems with handling invalid SSL certificates, though. Browser Opera Mini opens a website with a bad SSL cert without any alert at all. At least Pocket IE has a decent fake SSL alert and lets you inspect the certificate.
What can you do in the meantime? Well, MITM attacks are much harder over mobile data bearers, so discourage the use of WiFi if you have iPhone users in your organisation. Alternatively, save your business some cash, and stick with your current mobile email solution.
Apple is working on better Exchange integration, so let's hope market forces will help it to give more thought to the functionality versus security battle. Security should win over style every time.