I was browsing the net for intel on the Iphone, I want one, and it struck me that there is a hidden issue here for Apple and one that I hope to g@d that they have considered; security.
Information security has been touted amongst the Apple set as one of the corner stones of the product lines. After all “get a Mac” means not having to deal with the viruses and problems PC’s have to deal with every single day. Right? We all know that OS X is based on a flavor of BSD-UNIX and that the Iphone has been reported to be based of OS X. I’m confidant that the folks at Apple changed the core kernel and locked it down enough to withstand the casual attack. Here’s the rub though. Apple for as long as I can remember, or since Microsoft stole the GUI from them, has been in a “niche” of the IT world.
Creative folks love Apple and won’t use PCs. People with more money than they know what to do with and want something in there home office or living room that looks drop dead gorgeous get Apples. Until this point in time I would say it is safe to call Apple the Porsche of the IT world. Sure the Ipod enjoys a market share of the portable music world but now we are getting into something entirely different with the introduction of the Iphone. Until now our Ipods were essentially stand alone systems with the overarching security controls of our PCs and Macs offering some protections. (I say this in all optimism that folks that use PCs actually do some form of security even though I know this not to be true, and am in all forms, in a complete state of denial, as to the pure insanity and ignorance that is the general computing population, with regards to the absurd idea that computing without a firewall and antivirus program is “ok”.)
Now that I have that off my shoulders. Back to the issue at hand. Until today Apple has not had the market footprint that PCs and their peripherals have enjoyed (including smart phones). If Apple is as successful as predicted with regards to the Iphone, and they most likely will be, what are the consequences of an Apple OS having the same profile and therefore the same market footprint as its windows nemesis?
I put forth that Apple is now fair game for Malware, viruses, and any other threat agent out there that can take advantage of the Mac OS running on the Iphone. Imagine millions of Iphones infected and performing “drunk dialing” of fee based porn sites or phone spoofing. Any time you tie a possible revenue stream to a device that is interconnected with the cloud you invite the current generation of organized crime based crackers to get cranked up and figure out how to milk this cow for every dollar possible.
And boy there could be millions made from exploitation of Iphone. Consider this theoretical model.
1) Hack a week server at a data hosting or web hosting company and setup a pay porn, or any other fee based site, with PayPal as the money channel to an offshore account.
2) Buy three Iphones. One for destructive testing, One for regression testing, and one for final testing. (Cost $1600 bucks)
3) Either you are the mind bending cracker or you find one and get to work on finding the exploit. Lets say for this deal your going all out and don’t want to get caught. You go to a local computer shop, pay cash, and buy three decent laptops with enough horsepower to get the job done. (Cost about $2000 avg.)
4) Load them up with your favorite flavor of BSD-UNIX and some VM ware that you cracked.
5) Destroy one Iphone to figure out how the thing is built and where the “guts” of the box are.
6) Extract the OS, date files, etc and start regression testing. Figure our how they interoperate with the data network. (What ports and protocols are used.)
7) Find the exploits (Everyone has them and if any one tells me that Apple has closed all the holes in a “just works” environment I have some land to sell you.)
8) This is where the real fun begins. Let’s say it takes you four months to crack the box and devise a way to get all the Iphones in the world to go to your website. Or better yet dial your international 900 number in a country with no extradition treaty. (Better yet a country that just doesn’t have the resources to find you or track you down.) Cost of living in a third world country per month 300 bucks if you don’t want to attract attention to yourself. I hear Africa is dirt cheap and they have bandwidth.
9) Finally you have you ingenious crack and your ready to unleash it on the world. Buy one round trip ticket to Asia, you know there going to eat this Iphone alive, and deploy your malware. So if you deploy 1 year after the release of the Iphone and there are an optimistic 2 million Iphones sold, all interconnected to the cloud, going to your site, or dialing your numbers, at an conservatively imaginary .25 cents (US) an hour and you are able to run for 24 hours before Apple figures out the game is afoot and closes you down how much do you think you could make?
(2 Million Iphones) X (.25 cents an hour) X (24 hours) = $12,000,000 !
Not bad for an investment of a few months time and just under $5000.00 (US). What’s your price? We all have one and 12 million is a lot of reasons to bring everyone that has been working on the Microsoft world to come over the fence and play. One of the reasons Apple has been, well secure is that their hasn’t been the critical mass of targets needed to justify the risk, time, and cost. Iphone has the potential to shift the paradigm and offer a target rich environment that could yield the kind of monetary incentives we are seeing as the principle motivating trend in the cracker community.
I hope apple is ready for the spotlight because if Iphone and Macs share the same platform any security flaw that is exposed on Iphone could be applied to the Mac and the population that depends on it.
Finally I shudder to think what will happen when these devices make it into the US Government space. I am not aware of any single policy that deals with a device that has this level of connectivity in a single unit. Governments around the world are going to have to meet this new level of integration head on if they are to understand and mitigate the risks that this devices posses to their information data processing environments.
Sleep well knowing that somewhere out there are folks who have already dreamed this up and can't wait to get there hands on the Iphone not because it is shinny and cool but because they see a ton of money waiting to be taken.
No comments:
Post a Comment