Are iPhones compromising your company’s data?

Penetration of Apple’s iPhone 3GS in Australia has exceeded all expectations but users and corporations should beware! – these smartphones are the latest attack vector in hackers’ arsenals, according to Bill Robson, lead Penetration Tester for data assurance and security experts e-Sentinel.

The problem, says Robson, a keen iPhone 3GS user himself, is that the very way in which iPhones operate – that is wirelessly and without firewalls – makes it extremely easy for hackers to access iPhones across the Internet.

“The hacker’s access virtually goes unnoticed by the victim but it’s devastating for the security of any applications that are installed,” Robson said.

“Fortunately this attack is only relevant if an iPhone has been ‘jailbroken’, but according to an article in the New York Times on 12 May this year, 6.5 percent of iPhones have been subject to jailbreaking – that’s a lot of vulnerable iPhones!”

“Once hackers get in, they quickly capture and modify data that’s sent to a company’s back end systems.”

Robson said iPhone users’ habit of connecting to corporate systems through insecure (and potentially malicious) wireless hotspots and local networks, also leaves them and the companies they work with vulnerable to attacks.

“Hackers use wireless hotspots to gain easy access to confidential data that’s being passed between an iPhone and a user’s corporate back end systems,” he said.

For corporate Australia there’s a major risk to compromising corporate confidential data through the widespread use of iPhones connecting to vulnerable web sites and web-based applications.

Robson said that hackers are launching full scale SQL injection or Cross Site Scripting attacks to access back end databases through poorly designed applications or web sites.

He believes it’s only a matter of time before a major Australian organisation experiences an SQL injection attack such as those hitting the US.

“On April 13, 2008, Oklahoma’s Sexual and Violent Offender Registry shut shown its site for ‘routine maintenance’ after nearly 10,600 social security numbers from sex offenders were downloaded by SQL injection,” Robson said.

“But this is nothing compared to the scale of attack perpetrated by American Albert Gonzalez and two unnamed Russians who were charged on 17 August this year with stealing 130 million credit card numbers by SQL attack.”

Reportedly the largest case of identity theft in American history, the thieves stole cards from a number of corporate victims after researching their payment processing systems. The victims included credit card processor Heartland Payment Systems, convenience store giant 7-Eleven and grocery chain Hannaford Brothers.
So what can companies do to counteract this latest security threat?

Robson cautions people not to rely too heavily on Secured Sockets Layer (SSL) encryption as the industry standard for safeguarding web sites from hackers.

“In our experience, SSL provides very good protection for confidentiality and integrity of data as it passes across the Internet but when it comes to local and wireless networks, the effectiveness drops off,” he said.

“The best defence is for companies to ensure they have securely designed web applications and web sites that can adequately protect data when the first layers of security are exposed.”

Robson recommends the following to prevent potential breaches:

• Design security into web applications from the start
• Don’t bolt security on at the end of application development
• Consider session management (privilege escalation attacks), how easy it is to directly access or modify back end databases (SQL injection attacks), and whether malicious links can be placed to link into the code of the application to redirect users somewhere else (Cross Site Scripting attacks).

“In reality, I’d never give up my iPhone and nor will its legions of corporate and individual users worldwide but there is a lot more to iPhone application and web site security than just SSL,” he said.

e-Sentinel urges all clients to contact them should they have any queries or concerns about the security of their current web site, web applications or developing applications for iPhone or other smartphones.

e-Sentinel is one of Australia’s most trusted, independent providers of information assurance and computer system validation solutions working with clients in passenger air transport, medical, pharmaceutical, manufacturing, critical infrastructure (airports), finance, banking and gaming.

Bill Robson is e-Sentinel’s lead Penetration Tester and over the past decade has assessed the security of some of the largest corporations in the UK and Australia. His passion for information security keeps him on the leading edge of security research and trends in the connected world.