Doubts about the iPhone's security are justified. Without careful configuration, it is just not fit for a secure environment.
We've all had nagging doubts about the security of the iPhone for use in the corporate environment. However, it was difficult to find hard evidence to present to users to justify why they shouldn't have the Apple wonder phone at work.
In recent weeks, that evidence has become available. Without very careful configuration and management, iPhones are not suitable for use in an environment where security is important.
For example, it is a doddle to access the voicemail on a PIN-locked iPhone 3GS/4: you do it simply by using voice control. A default voicemail PIN code of 8705 is present on O2 iPhones; if unchanged by the user, their voicemail can be accessed. It has been mooted that this was the route used to access Prince Harry's voicemail a while back. Second, a PIN-locked iPhone can be accessed using a sync cable from any PC. The user partition can be read simply by connecting it via the USB cable to a PC. Using IFuse, it is simple to mount and browse user partitions. IFuse is a Fuse file system driver that uses the ‘libiphone' library that enables people to connect to iPhone and iPod Touch devices without needing to ‘jailbreak' (unlock) them. IFuse uses the native Apple AFC protocol over a normal USB cable in order to access the device's media files.
Worse, a jailbroken iPhone subject to the same attack will reveal its entire file system, SQLite databases where mail and messages are stored, credentials, the lot. Again, it is simple to use iFuse to force-mount the root file system to achieve this.
Particularly concerning was the ability to write to the user partition, even of un-jailbroken iPhones. If one could produce an exploit in common user file formats (jpg, png, mp4, mp3, m4r, iThmb etc) that can be loaded on the iPhone, then privilege could be raised and full control could be taken.
Further, owing to poor user alerts in the case of faked SSL certificates, it is also possible to run a man-in-the-middle attack over wireless and steal email/domain credentials from the iPhone. By spoofing common access point names, such as BTOpenzone and The Cloud, which are likely to have been cached previously by most iPhones, the phone automatically associates with the AP when in range.
The phone will then attempt to sync email and negotiates an SSL connection. A forged certificate can easily be served to the phone, generating a trivial error message, which nearly 80 per cent of users accept. The email credentials are then encrypted using the faked certificate, allowing the attacker to decrypt them. If it's an Exchange email account, the credentials are usually the user's domain credentials...
Rather scarily, once the fake SSL certificate has been accepted by the user, it is then cached permanently. There is no way to remove the certificate, other than to delete the email profile and start again.
Newer devices such as the iPhone 4 and iPad don't exhibit quite the same behaviour. Man-in-the-middle attacks are tougher to carry out, due to DHCP issues. We are currently investigating handling of IPv6, DHCP and ARP by the newer devices, so watch this space.
In the meantime, we recommend the following:
- Ensure all users change their voicemail PIN from the default
- Consider disabling wireless, to prevent credential theft
- Don't let your staff jailbreak their iPhones
- Implement an enterprise iPhone management solution and use it to deploy the latest OS versions as soon as they are released
- Distribute good iPhone practice information to users.
I would also keep an eye out for malicious software popping up in the AppStore. While Apple does appear to go to some lengths to validate software, the incredible volume of new apps is going to make maintaining quality and security increasingly difficult for the company.
Given the penetration of the iPhone and the availability of numerous online banking applications for it, there will be great interest from criminal groups in writing/modifying code for the iPhone. The prizes for them are significant.