Pondering over the iPhone

|thumb_img_2472.jpg|I passed up a chance to get an iPhone last week because I couldn't spare the time to wait in line for it. I was headed to New Hampshire to stay up at Lake Winnipesaukee with some friends and watch the NASCAR Modified, Busch, and Nextel Cup races at NHIS in Loudon.

During our long drive, I started asking myself questions about the iPhone in regards to security and the concerns I have with it and other "smart" phones. Below were just a bunch of the questions I had, and is by no means comprehensive. Most could or have probably already been answered, but here goes anyway.

Wireless

• How does the iPhone connect to Wi-Fi networks? Auto-connect to nearest AP or is it manually?
• Can the phone run in infrastructure mode? (can the phone be an access point?)
• Bluetooth support: can it be turned on/off? Can it be told to limit access to specific devices?
• Is there a VPN client?
• What is the Bluetooth/Wi-Fi range of the device?

Encryption

• What does the iPhone support in the encryption arena?
• Is data encrypted on the device? in removable memory? while in transit?
• Does it support PGP or S/MIME?
• What encryptions algorithms does it support? AES, 3DES, Blowfish, SSL, etc
• If it has VPN client, what protocols does it support? IPSec, L2TP, PPTP?

Authentication

• Does it support Kerberos, LDAP, etc for domain/application authentication?
• Does the phone automatically lock itself after a period of no activity?
• Can the phone be locked requiring a passcode to unlock it?
• Can the SIM card require a PIN number?
• What does the user run as? Are all applications running as root/administrator?
• Does the phone support proxies?
• Do phones come with a default password? Do any services have a default password? Will the device require you to change it? What security policies can be enforced?

Security

• Does the device have a firewall? If so, what is allowed inbound/outbound?
• Does the device have a need for A/V?
• Can calls be spoofed to and from the phone?
• Can activation be bypassed? Unlocked to work with other carriers (T-mobile, Alltel, Sprint etc)
• What are the secret/maintenance codes (both listed and unlisted)

Tracking

• If device is lost what can be done? Macbooks have a program that can "phone home", like a Lo-Jack for laptops – is there such a thing for the phone?

Applications

• What applications/plugins are installed by default? which can access the Internet?
  • Mail client
  • Web browser
  • Instant messaging, games
  • iTunes, Quicktime, PDF, Flash, etc..
• What applications can the user install?
• Do applications support encryption? (SSL, IMAPS, etc)

Services

• What services are running?
• What ports are services listening on?
• What clients can you run, (ie. telnet, ssh, vnc)?

Hardware

• What processor architecture is used?
• Can users download and install their own firmware?
• What can be plugged into the device? USB, firewire, etc
• What filesystem is used and what form factor is the memory card?
• How are updates handled? Automatic security updates?
• How much storage is available? How much storage does the OS take up?

Attack Vectors

• Vulnerabilities that exist on PCs will exist on the iPhone
• Operating system, web browser, applications, services -- supposedly OS and browser have not been stripped down for "mobile" use.
• Firewall configuration
• User accesses malicious website which could take over phone or a running application
• Theft
• Weak encryption algorithms
• Default passwords
• Phishing

Posted by Marcin on Tuesday, July 3, 2007 in Security and Tech.

Suggested reading this week

I've been real busy lately, but I came across several blogs and articles this week that I'd like to share, Andrew Hay style. =)

CEO Crime & Punishment -- Ben Horowitz, CEO of Opsware Inc., shares his thoughts on what entices executives to commit white collar crime. Is it for money? Or is there some other reason?

Warren Buffet once said that "marrying for the money probably isn't a good idea in any case, but if you are already rich, it makes no sense at all." The variation that applies to CEOs is "robbing investors probably isn't a good idea in any case, but if you are already rich, it makes no sense at all."

The Mainframe Conundrum -- There are many systems that power our economy, our infrastructure, and life on Earth -- mainframes, that are powered by COBOL, IBM Assembly, and others that also empower security mechanisms like RACF that researchers in the security community seem to have skipped. I've thought about the state of mainframe security and other critical systems, and it could be scary. I know machines that cannot accept a password longer than 8 alphanumeric characters, that power entire businesses. The amount of people who are skilled in systems like VAX/VMS, TPF, z/OS is dwindling... Who will review the critical applications that run on them?

Most large organizations have a 30-40 year investment in their applications and they're not going to re-write in a Johnny come lately language like Java or C# just because we can't review old code. There are literally billions of lines of COBOL out there, and it ... runs the world. There should and MUST be a way we can review this code.

Analyzing the Facebook Platform, three weeks in -- Marc Andreessen comments on the succesful launch of the Facebook API, that allows developers to create applications that add functionality to Facebook, but doesn't replace it. In it, he brings up the account of one successful application that took off in a viral sense, originally being hosted on two servers, now requires a couple hundred to keep up with the load users have put on it. "Success kills" is one way of looking at it. The developers of Facebook surely put a lot of time and effort into the design of the system. We'll see soon enough how the API stands up security-wise and the applications people write.

Maryland Professor Creates Desktop Supercomputer Prototype -- Uzi Vishkin, with the help of his students has created a prototype that utilizes 64 processors working in parallel, and is hundreds of times faster in some cases than modern desktop computers. I look forward to the advancements they make in this sector.

Red Hat Linux gets Top Government Security Rating -- Another Slashdot posting, I know, but the comments are worth reading. There's a lot that I forgot about or didn't know regarding the multitude of ratings various agencies can award systems that meet specified criteria. After reading the comments, I flipped through the Orange Book to refresh my memory. It's old, but still good!

Blog post to watch:

Joanna: We Can Detect Bluepill. Let Us Prove It! and We're ready for the Ptacek's challenge! -- I'm a huge fan of the research both Joanna Rutkowska and the guys over at Matasano have put out. Things will definitely get interesting as Black Hat nears... exciting :D

Posted by Marcin on Thursday, June 28, 2007 in News, Privacy, Security and Tech.

Got pwned today

Several people in the corporate IT security group where I'm interning this summer have been working hard on creating a program to educate users on the company's acceptable use policies and some basic security awareness. They've done a great job and the stuff they came up with looks top notch. During lunch they're out talking to other employees, answering their questions and even handing out nice Kingston DataTraveler Secure Privacy edition usb thumb drives. (too bad they only work on Windows, anyone get them running in Linux??)

Anyways, back to me getting owned... One of the other interns I work with asked me to go print something off for her because she was busy answering questions and things like that. At first I was a bit hesistant, not knowing what exactly I was going to print. I was going back to my desk anyways, but she told me I could print it from one of the computers at the table not too far away. I assumed she didn't have a printer set up there or something. Sure enough, I plug the usb drive she gave me and up comes the "meltdown" program, which makes the screen look all mushy. Had I taken it to my desk, I would have been safer because Autorun was disabled, but still... that was embarrassing.

Yup... If you haven't noticed by now, women have no problems social engineering men.

Posted by Marcin on Tuesday, June 26, 2007 in Security and Work.

We'll revoke your blogging privileges

If you have too many tags, scripts, ads, etc on your site. Thanks to Tyler for saying what we've all been wanting to say.

Just look at this.

Posted by Marcin on Wednesday, June 20, 2007 in Other.

SSN misuses

These two stories are interesting.. I wonder if Adam from Emergent Chaos has seen them:

The most misused SSN of all time was (078-05-1120). In 1938, wallet manufacturer the E. H. Ferree company in Lockport, New York decided to promote its product by showing how a Social Security card would fit into its wallets. A sample card, used for display purposes, was inserted in each wallet. Company Vice President and Treasurer Douglas Patterson thought it would be a clever idea to use the actual SSN of his secretary, Mrs. Hilda Schrader Whitcher.

Posted by Marcin on Wednesday, June 20, 2007 in Privacy.