Agentless Backup is Not a Myth
Yet, the hip consumer technology company has done a credible job with security.
For one, Apple turned off as many non-essential services as possible, minimising the software surface area that could be attacked by malicious code. The stripped-down version of Safari, known as MobileSafari, allows very few files types, making it harder to attack. In addition, Apple has quickly produced a patch for the vulnerability found by ISE, releasing an update for the phone on Tuesday. The patches are easily installed through iTunes, making it less likely that people will be carrying phones vulnerable to older flaws.
The iPhone's restrictions on installing non-Apple software can be seen as a security feature as well, as long as the protections make it difficult to create programs for the phone, F-Secure's Hyppönen said.
"From the attacker's point of view, it is a hard device to attack, because there is no SDK (software development kit) - it's a closed system," he said.
Moreover, while the minimalist phone has found favour, the total number of users is still small. AT&T announced earlier this month that 146,000 iPhones had registered with the wireless service in the first two days - a strong showing but short of rosy analyst estimates (registration required) that predicted numbers as high as 500,000. Apple stated in its earnings that the company had shipped 270,000 iPhones during those two days.
Because most attackers target the largest possible population of victims, the iPhone is likely not worth the effort for truly malicious attackers, Hyppönen said.
"The installed base is really low - only a few hundred thousand," he said. "If you attack other phones, such as Symbian phones, you get millions of possible targets."
Yet, if Apple's estimates for sales of the iPhone pan out, the device will only become more appealing. The company aims to sell one million phones by the end of this quarter and ship 10 million by July 2008.
Finally, some researchers question whether compromising an iPhone would gain anything of value for the attacker. While some countries in Asia use cell phones to connect to bank accounts, that is seldom heard of in the United States. And the other data on the device is not necessarily worth stealing, said David Goldsmith, president of security firm Matasano.
"I don't think the attack model of breaking into machines and stealing MP3s is convincing," he said.
Sitting near the Black Hat Security Briefings registration area on Tuesday, Miller agrees.
"There are a lot of other things to worry about right now than my iPhone being hacked," he said.
This article originally appeared in Security Focus.
Copyright © 2007, SecurityFocus
COMMENTS
Dissappointing sales?
Please can you stop trotting out this anti-hype rubbish.
Certain analysts are the only ones disappointed by the level of sales. Most analysts predicted around the number sold and Apple didn't make any promises with regards to the number sold in the first 30 hours.
Some people would say that 150k units sold in 30 hours is very good you know?
Consider a new source, Reg
Apparently this "Hyppönen" chap doesn't read the news, or he selectively reads it.
"From the attacker's point of view, it is a hard device to attack, because there is no SDK (software development kit) - it's a closed system,"
Except for the fact that people have already figured out how to develop and run applications on it. And that existing applications, namely the OS, have been reverse-engineered in less than a month, say?
"Finally, some researchers question whether compromising an iPhone would gain anything of value for the attacker."
Well, it can be used as a listening device. I certainly see government-level espionage, def. corporate espionage, in the works with this. If a person uses their iPhone to access bank stuff, it apparently can be monitored just like a PC can with a keylogger.
"The iPhone's restrictions on installing non-Apple software can be seen as a security feature as well, as long as the protections make it difficult to create programs for the phone"
Except if it uses a simple check to verify that it's proper Apple software, then all a programmer has to do is reverse-engineer the legit Apple apps and find the string and inject it into their own programs. Even if Apple uses a grossly-ineffective method of checking over the 'net of a program's authenticity, well, that's simple! Redirect the authentication server to a malicious one via editing of the hosts file, and the methods employed there can easily be ascertained by running an Ethereal/ettercap scan and reading the packets.
Come on El Reg, don't get your soundbytes from F-Secure. Go back to Sophos. While Graham Cluely doesn't open his mouth much for the soundbytes, he at least doesn't sound like a twunt when he does.
IT infrastructure monitoring strategies
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
Data control in the cloud
Cloud based data management
Agentless Backup is Not a Myth
