The iPhone security non-story

The iPhone security non-story

Summary: David Maynor is hoarding his Safari browser flaws with his eyes on the iPhone.As far back as January, hackers were asking questions about the iPhone CPU and preparing for attack scenarios.


David Maynor is hoarding his Safari browser flaws with his eyes on the iPhone.

As far back as January, hackers were asking questions about the iPhone CPU and preparing for attack scenarios.

The first hacker that breaks into the iPhone will generate lots of headlines/publicity but that's right about where this story ends.

According to this NetworkWorld piece, Gartner will add to the ridiculous hypefest next Monday with a warning to enterprises:

We're telling IT executives to not support it because Apple has no intentions of supporting (iPhone use in) the enterprise," Gartner analyst Ken Dulaney says. "This is basically a cellular iPod with some other capabilities and it's important that it be recognized as such."

Do we really need a Gartner report to tell us that a storage device presents a data theft risk?

Dave Goldsmith from Matasano says it best:

Every device that walks into your organization is just another way for data to leave. Laptops, iPods, cell phones, PDAs and even the dreaded Furby have all gone through this same set of concerns.

Yes, somewhere deep inside of every enterprise is a small team of people that have to worry about data management. And yes, everytime something like this comes out, they have to write a bunch of policy blocking it. And then they have to start relaxing that policy as the devices become commonplace.

If you are responsible for keeping data inside of your organization, for the love of everything that is holy, please don’t spend too much time on the iPhone. Allow us to remind you about all of the data breaches that are happening thanks to insecure wireless access points, tape backups disappearing, wrapping your newspapers in customers’ personal financial information, and stolen laptops.

Space Rogue, a former L0pht member and editor of the Hacker News Network, agrees this is a non-story and argues that iPhone will be much more locked down and secure than your existing cell phone, thanks to the firmware auto-updating mechanism built into iTunes.

iPhone will run a modified version of OSX. That will likely include some form of FileVault, Apple's encryption technology for user files. Thats right, encryption built right in. This hasn't been announced and it might not be in there, but if the technology and the code already exist why not put it in?

iPhone looks to be just about as secure or even more so (no proprietary and closed backend) than a Blackberry, Treo, or Blackjack. Everyone saying otherwise is either a paid MS schill, astroturfing, or just plain idiots.


And the 25+ PR folks pitching me on iPhone security stories to hitch your clients' wagon to the iPhone gravy train, you can stop now.

This is my last iPhone blog entry. Until Maynor or Halvar Flake breaks in.

Topics: iPhone, Mobility, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Surprising candor

    I'm impressed.
    • Surprising candor indeed!

      Why can't ZDNet columnists write more like this?
      It would then actually be interesting and worth my time to visit this place more often.

      Both thumbs up to this one!
      • i agree

        Ryan is quickly becoming my favorite ZDNet author for his level well thought out writing.

        Some of the other authors give me the impression of just sticking a stick in the beehive for "article hits". I appreciate his taking a higher road.
  • The moment

    anyone mentions David Maynor, they can kiss their credibility good-bye. Anyone with any sort of professional ethics in the security industry should run this guy out of town on a rail.
    • C'mon, be fair

      Not entirely fair. Notwithstanding the problems with the way the Black Hat/Wi-Fi flaw mess was handled and my own disagreement with his disclosure policy regarding Apple, Maynor is a good guy with a history of legitimate findings.

      I wish he would be the bigger man and patch things up with Apple. Maynor means well and the engineering folks at Apple are all working towards the same goal. Things got FUBAR'd when the PR people got involved.

      Don't get mixed up with PR shenanigans and a researcher's credibility.

      Ryan Naraine
      • No matter how old he is, I peg Maynor as a kid.

        I just can't take him seriously any more - the guy's been a petulant child for the last ten months without break. Whether or not he's been a legitimate researcher is kind of irrelevant - emotionally, he seems to be a five-year-old who wasn't given the attention he wanted so now he's throwing a fit.

        (That said, wow. You're handling this discussion better than all the rest of ZDNet put together. Kudos to you.)
        • puhleeeze

          only an apple worshiper would say the things your saying.

          these types of articles are really written for security professionals.

          Trust me.. I know of people who will own these little boxes in no time at all.

          If you dont think thats true... your only kidding yourself

          alls you need is an IP and with a device like this.. game over.

          sorry but thats reality.

          plus with the fact that Att filters your data/email for keywords too???
          • hah...

            [i]Trust me.. I know of people who will own these little boxes in no time at all.[/i]

            lol, so you are saying you 'know of people' (which basically means you heard a friend say they knew somebody that had heard that a guy was going to..) who are going to hack iPhones in 'no time at all'. Not sure what you are talking about below that about an IP and some non-disclosed device.

            Where is your proof that: A: ATT filters all data and email B: If they do, what says other providers don't?
      • I have a rule

        I'm not interested in what you did five years ago, good or bad. I'm interested in what you are doing today.

        Today, Maynor is a vengeful little hack letting his hatred of Apple totally destroy any credibility he has. He made up an exploit, got caught in his lies, and lied some more to cover it up.

        I don't care if he walked on water five years ago. Today, he is a hateful little jerk, and it is what he is today that counts.
  • French Like Blackberry FUD!!!

    The iPhone corporate warning post reminds me a little of the French Blackberry warning:

    The French were wrong, all communications have been encrypted this entire time. The iPhone will likely be just as secure if not more. I found the following quote about the direct cost of that one FUD statement interesting:

    "I don?t want to be cynical but I bet that French warning will probably end up costing the tax payers of the world millions."

    Almost any new cell phone or device is just as much a potential data risk. Many of the fancy business cell phones have had bluetooth hacks. The iPhone is running the Mac OS so it should be able to be secured more tightly then most devices which aren't nearly as flexible, plus the update mechanism you mention.

    Chicken little "sky is falling" speculation is also called FUD (Fear Uncertainty Doubt), and it isn't good for anyone. Thanks for pointing that out. I wonder what impact this FUD will have on Apple? I'd think that expensive phones like the iPhone would mainly be used by execs at first, so the scare tactics are just a baseless cheap shot at this point.
  • The iPhone is *TOO* enterprise-oriented for me

    Let's look at this:

    * The terms of use allow 'unlimited' data access for supported services, typical web
    browsing, and corporate intranet access. That's about it.

    * Development for the iPhone is for HTML-based applets only, so there's no
    corporate data on the unit itself.

    That's great for companies, it means that they can wrap their corporate data in an
    intranet applet and the only data on the phone they need to worry about is email...
    anything else is personal.

    It sucks for people who want to use it for anything other than the stuff Apple
    explicitly provides. There's no eBook reader, no Flash or Java for games, if you
    want to do anything beyond the applications Apple provides you're stuck. You can't
    even use a track from iTunes for a ringtone!

    It also sucks for people who want to use it to log in to their home server to do
    work. There's no VNC or RDP support for Windows, no VNC or SSH support for
    UNIX/Mac, no java support to *add* these, and it would be against the terms of
    service if you could do it.

    Rather than a lack of corporate support, the big problem with the iPhone is that it's
    too corporate.
    • huh?

      "There's no eBook reader" - Yes there is, native support for pdf, rdf, doc, etc.

      "Flash or Java for games" - Since this is an updating os features can be added at any point. I bet we see Flash really soon.

      "if you want to do anything beyond the applications Apple provides you're stuck." - Untrue all google apps, web widigets, etc already work, and many more apps and services are in the pipeline.

      "You can't even use a track from iTunes for a ringtone!" - Um. Yes you can.

      "so there's no corporate data on the unit itself" - yes you can store your data, addresses, etc. You can go either way.
  • Gartner is right about 1% ...

    of the time. They are the biggest joke and sorriest excuse for credible info.

    BUT, they are right on with their take and YES someone needs to tell the corporate world.
  • I Agree, Apple does a much better security job

    and will with the iPhone too. I trust Safari much more than any other browser out there. Its secure not counting Java, but Java is not on the iPhone and not an Apple product anyway. So give me an OSX BSD UNIX open source based device any day over a proprietary backberry or worse, a windows CE based device. You go Apple!