• Investment World
• eWorld
• Brand Line
• Mentor
• Life
• Canvas
• Praxis
• Urban Pulse
• Brand Quest
• The New Manager

Stocks

• Quotes
• SE Diary
• Scoreboard
• Open-End Mutual Fund

Cross Currency

• Rates
  
  

Shipping

• Ports
  
  

Archives

• Yesterday
• Datewise
• Resources
• In Focus
• In Depth

Group Sites

• The Hindu
• The Hindu ePaper
• Business Line
• Business Line ePaper
• Sportstar
• Frontline
• The Hindu eBooks
• The Hindu Images

This is what the different camps say.

R.K.Raghavan

IT security experts these days do not seem to have a single dull moment. There is something happening all the time in cyber space that keeps them busy and occupied. This is how it should be, for otherwise we would be at the mercy of those who are forever engaged in prying on us, either for their own economic profit or sheer adventure.

In an age where public order is at peril, thanks to the hyperactive terrorist and the hard-boiled conventional criminal, it is but appropriate that we heed cyber security professionals and protect ourselves adequately.

The latest debate in the IT world is how secure is the new gizmo, namely, Apple’s iPhone that was released to the public late June with great fanfare. Reports have it that people queued up overnight in New York and other cities in the US just to be the first few privileged to own what is touted as a combination of the iPod and telephone.

Initial responses to the iPhone were mixed. These included feedback according to which access to the Net was not as fast as one would like it to be. Alongside it, there were expressions of fear that privacy concerns had not been fully taken care of by Apple.

Such apprehension, merited or not, has given rise to an animated discussion in the media and other public forums of the various features of the wonder machine. There is so much of information that has been floated by both pro-Apple and anti-Apple elements that, at the end of the day, one is still confused! If you are interested, go to a site which is rather amusingly called www.exploitingiphone.com.

It all emerges from the fact that the iPhone is basically a computer or something close to it. This is why one should expect in the new device all the problems — viruses, worms, spyware, etc — we associate with our PCs. Anyone who claims these have been totally eliminated in an iPhone is talking through his hat.

Let us first consider what those who speak for Apple say about the new phone’s security features.

According to Neel Mehta of IBM’s Internet Security Systems, what is most significant is Apple’s decision not to offer a Software Developer Kit (SDK), something that would have helped those aiming to write a malware to discredit the new device. He does not say that this fact totally eliminates such attacks. The point is such an ill-motivated exercise becomes a tad more difficult.

Symantec’s Eric Chien seems to endorse Mehta’s optimism. Apple’s clear determination not to permit or facilitate third-party software in respect of their new product is, according to Chien, one positive feature that inspires confidence in its low vulnerability. Just now such software is restricted to the browser-based Java script and the Ajax Code. Some additional security comes from the fact that the iPhone has to be necessarily activated on the AT&T network, as per the latter’s contract with Apple.

This is not only a legal requirement. According to AT&T, it is the only way one can get maximum performance. The carrier’s response is to claims that an iPhone customer can circumvent AT&T using a Wi-Fi connection. Experience over months will alone tell a user how truthful the respective claims are. The question, however, is how, in these days of extremely demanding users, the latter may agree to be bound by such a closed system. The craving is for a smart phone that does every thing without being subjected to excessive restrictions. This becomes relevant especially when you consider you will have to shell out $500 (Rs 20,000) for an iPhone!

There are different sets of people who claim they have either successfully broken into the new gadget or have found the means for doing so. First are those who advertise that they have unearthed the six-letter passwords to gain access to the system. They believe that these included the iPhone’s “root password”.

Next is a person called Ken Dulaney of Gartner who publicises three known chinks in the iPhone’s armour. These are an unsecured e-mail system, the absence of firewall protection and the non-availability of software through which the phone can be disabled, once it is physically lost by its legal owner. (Counter to the Gartner accusation comes by way of reference to protection afforded by the easily available Internet Message Access Protocol (IMAP). Also, a firewall becomes redundant for most of the Unix users who can effectively switch off unnecessary services. As for remote disabling of a lost machine, the Apple response could be very soon in the form of a suitable management software that is not difficult to write.)

What should worry Apple most is the clear-headed white paper written by three researchers who are part of a firm called Independent Security Evaluators. Their categorical claim is that they have hit upon a method of securing wireless access to any or all files, including personally identifiable information, stored on an iPhone.

While the three enterprising investigators concede that Apple had built a reasonably secure protocol, the harsh truth, in their view, is that once a breach occurs, there is no stopping the attacker who can gain total control of the entire system.

Interestingly, the group leader, Charlie Miller, will present the findings at the Black Hat security conference in Las Vegas that is slated for August 2.

But even before such public sharing of information on the iPhone’s vulnerabilities, Miller is said to have given a private demonstration to at least one press reporter. During this session, Miller went into a Web site (a site designed by himself) using the iPhone browser, whereupon the site introduced a bit of code which took over the phone almost totally.

What followed logically was access to several files, including some recent text messages. Experts told of this demonstration believe that this was a case of genuine hacking. This was no surprise to them because it was the corollary to the long-awaited convergence of computing and telephony.

In the words of Prof Steven Bellovin of Columbia University : “We’ve been hearing for a few years now that viruses and worms were going to be a problem on cell-phones as they became a little more powerful, and we’re here….. The iPhone is a full-fledged computer, …. sure enough, it’s got computer-grade problems.” Cell-phone users beware. You are in for troubled times!

The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.

More Stories on : Telecommunications | Security | Security Musings

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Is the iPhone secure?

Copyright © 2007, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line