DISQUS

randy · 2 years ago

"The person that spends 500$ on their phone will protect it more than the laptop you issued them"

Isn't that the truth!

dre · 2 years ago

I don't know, Matasano.

Linksys hasn't had a great reputation in the past for security. Didn't they ship a router with an administrator default password... twice? Didn't they allow access to their underlying Linux OS via TTCP? Weren't they the ones that allowed simple CSRF to change passwords?

And don't forget about DNS hijacking - sorry "Pharming" - although DNSSEC would prevent that, mind you.

Yeah. The Linksys iPhone is bound to be one of the WORST security problems the world has ever seen. Predicted here first.

Anonymous · 2 years ago

@dre
Hm sorry to point out to you they are not talking about linksys IPhone(which no one cares about) but a new phone by Apple.
http://www.apple.com/iphone/
@Dave G:
How come you say sadly someone will run Linux in it ? Having someone port a version of linux would be something wonderfull, I bet that apple placed many silly software restrictions in it, just as it did in Apple TV, and the ipods, having some piece of software that can actually exploit the hardware full capacity is not sad.

Andrew Storms · 2 years ago

"The person that spends 500$ on their phone will protect it more than the laptop you issued them."

LOL - so true.

yoshi · 2 years ago

Finally some sense. the iPhone is not even on my radar (well I do plan on buying one) and it shouldn't until after its released. Out of the risks that we have to manage - its just not high on the list. But that won't stop pundits trying to improve their click-through but releasing FUD.

dragonfrog · 2 years ago

It's sad that they'll have to, I guess.

I was rather excited when I first saw the specs for these things - not that I'm about to spend 500 USD on a phone. But, there I was imagining all sorts of useful OS X tools could get ported to the iPhone - especially wireless tools. Now we get the lovely news that if it can't be implemented in AJAX, it ain't coming to an iPhone near you. Bleagh.

Incidentally, was the thing about the Linksys a joke? I think they're just coming out with the thing because they have to retain a semblance of using the trademark on the name "Iphone", which Cisco had been sitting on silently for some time until Apple made their announcement.

dragonfrog · 2 years ago

That wasn't very clear - I meant it's sad that people will have to port Linux to the iPhone, in order to get full access to the hardware they've put out good money for.

Andrew Jaquith · 2 years ago

Dre was clearly trying to wind people up, and he succeeded. Nice job, Dave, talking sense on this issue. I was asked by a reporter to comment on your blog post (!) and on Andrew's (nCircle), and frankly I think this whole issue is a tempest in a teapot. Show me a phone that implements all of Andrew's wished-for security features, and I'll show you one that doesn't exist. CLEARLY any phone that doesn't have "electromagnetic analysis countermeasures" isn't ready for the enterprise.

Chris Rohlf · 2 years ago

There have been many other very successful hand held/phone platforms in the past and none of them have been the security nightmare everyone talks them up to be. iPhone will be no different. Perhaps a POC here and there but nothing ground-breaking

PaulM · 2 years ago

iPhone == status symbol
theft == crime of opportunity
stolen iPhone == factory reset & sold on eBay

Also:
http://www.theonion.com/content/infograph/apple...

dre · 2 years ago

@Andrew CLEARLY any phone that doesn’t have “electromagnetic analysis countermeasures” isn’t ready for the enterprise

So you're suggesting that enterprises use cell phones with a local switching gateway inside of a giant copper-shielded orb surrounded by white noise generators?

It's not all about security, is it? It's about a level of assurance good enough to prevent your mom's credit card number from getting stolen off the phone while she buys Snoop Dog's latest iTunes music video.

@dragonfrog Now we get the lovely news that if it can’t be implemented in AJAX, it ain’t coming to an iPhone near you

DOM-based XSS is going to be a primary vector of attack for the iPhone? So what?! It's already a primary vector of attack for everything! I am starting to wonder why Matasano doesn't care about this sort of security, as it's probably one of the biggest and most critical issues we need to address. Sure, it's not specific to the iPhone, but cross-operating system, cross-browser botnets based on browser technology should scare the beejeezus out of everybody. That's exactly the type of stuff that is worth talking about.

@ChrisR There have been many other very successful hand held/phone platforms in the past and none of them have been the security nightmare everyone talks them up to be. iPhone will be no different. Perhaps a POC here and there but nothing ground-breaking

You didn't read the latest SecurityFocus interview with Barnaby Jack, but that's ok - I'll summarize: null ptr exceptions should scare you. Again. No, really - this time. I'm not kidding.

Ok I am kidding. Nobody with a brain (see: intelligent adversary) attacks platforms anymore. Web applications make it so that platforms, OSes, and fat apps don't even really need to be attacked. They're already owned when a user opens a browser and clicks on his/her first or second link.

Embedded devices are under attack, but in a very different way. I wasn't kidding when I was talking about Linksys earlier. According to the Illuminati (the CoralCDN study (*), not the conspiracy theory), 73% of browsers are behind a NAT. But of those NAT's only 1 or 2 hosts exist behind them. So under a large Javascript browser attack such as an XSS worm, a very successful adversary/adversaries would be able to perform a Jikto style attack (i.e. Intranet port scanning with HTML or Javascript) against a bunch of ...

you guessed it... Linksys routers. And what web vulnerabilties exist in these toy devices? CSRF's to change the passwords. And what can you do when you change the passwords? Change the Linksys configuration. And what in the Linksys configuration is interesting enough to change that most users wouldn't notice? DNS settings. And what can you do with DNS hijacking? Create a persistent botnet through chains of XSS proxies. And what can you do with botnets? Steal identities, credit cards, stay anonymous, and attack anything you want from the privacy of some other guy's browser.

Sorry that I set all of you up for this giant cluestick. But there you have it. Enjoy

(*) http://illuminati.coralcdn.org/stats/

Chris Rohlf · 2 years ago

@dre

Actually, I did read the presentation/interview with Barnaby, but thanks for assuming. Please tell me why we need to be 'more' scared over hand held platforms security now that theres a new public way to exploit NULL ptr derefs on certain architectures? The biggest nightmare with these devices has been, and will continue to be, data leakage by slow witted employees, not NULL ptr deref's

dre · 2 years ago

Please tell me why we need to be ‘more’ scared over hand held platforms security now that theres a new public way to exploit NULL ptr derefs on certain architectures?

We shouldn't; I was joking: "Ok I am kidding. Nobody with a brain (see: intelligent adversary) attacks platforms anymore". Intelligent adversaries are going to come up with much better ideas to create and maintain botnets. They don't need to own the platform. All they need is control of a clientside application, or a least a small part of it (e.g. mhtml, javascript, et al) and a way to ensure continual re-injection.

Rosyna · 2 years ago

Actually, the iPhone could be a huge security risk... Since you can't run middleware applications on it, you *have* to have a world-facing server if you want to make a "webapp" that accesses company data. And from all appearances, the iPhone doesn't support VPN so you cannot restrict said world-facing server to specific IPs on the local network.

So the issue is that if companies make such webapps, how do they properly restrict the access?

Thomas Ptacek · 2 years ago

I had the same thought when Jon Gruber posted a comment saying that "of course corporate users can tunnel their mail through Yahoo Mail". I presume no PGP support for the iPhone is forthcoming.

Andrew Storms · 2 years ago

BTW - my list, though I agree may come off sounding a little far fetched, is actually just a subset of the security features of a RIM device...yes even including the “electromagnetic analysis countermeasures”.

I didn't make it up, its really in their PDF...seriously, I'm not really that much of a staunch bastard trying to pick on Apple.

I also found it interesting that an eweek reporter got MS to answer the questions WRT to Windows Mobile.

http://www.eweek.com/article2/0,1895,2149610,00...

Ted · 2 years ago

Mate.
Take a deep breath, relax and sit down.

Policy's are written these days to be very broad, taking the stance of stating whats allowed and explicitly denying everything else.

In a controlled environment the iPhone should not pose any great threat that haven't been mentioned in the last couple of years.

Jon A. Longoria · 1 year ago

Haha, it is interesting that you refer back to Furby's, We had this very problem in a office where I was stationed with the USAF years ago, before I arrived. They were removed the because one day some personnel came to the office and they were talking about project/financial data to eachother (about 12 of them).

Anyways, regarding the iPhone security hype, I would have to agree and I think SpaceRogue summed it in his articles last year, http://www.spacerogue.net/wordpress/?p=35 and http://www.spacerogue.net/wordpress/?p=36 . Keep writing!