Home > Uncategorized > iPad Security: Part 1

iPad Security: Part 1

Apple has been making the headlines lately, with most of the uproar being related to something about security. Not too long ago a group of perpetrators accessed an AT&T server in which names of iPad users, their email addresses, and authentication information (“ICC-IDs*”) needed for access to AT&T’s network were stored and stole this information to learn the identities of approximately 114,000 iPad 3G subscribers. The perpetrators ran a PHP script that issued specially-crafted HTTP requests with “User agent” headers specifying the type of browser and other information to the server and one ICC-CD after another. The perpetrators guessed ICC-IDs ranges by viewing Web postings in which iPad users revealed their ICC-IDs and also by asking other iPad users what their ICC-IDs were. The server responded to each request by sending back email addresses, one for each ICC-CD, enabling the perpetrators to determine the identities of iPad subscribers from the information in the addresses. The identities of iPad subscribers could be from a who’s who list–some were U.S. Congressmen, others were from Morgan Stanley, HBO, Google, Microsoft, and Goldman Sachs, one was a US Air Force general, and one was even White House Chief of Staff Rahm Emanuel.

You may ask why I am describing an incident within AT&T, not Apple, when this new mini-series is on iPad security. It is true that AT&T deserves most of the blame, but it is also true that Apple provided the information that was stolen to AT&T and by all appearance did not do due diligence in determining whether sufficient data security controls were in place. To its credit, AT&T has since patched the vulnerability that the perpetrators exploited, but the damage has already been done. A lot of information related to iPad customers has been breached–an auspicious start for the iPad.

The next jolt for iPad security came earlier this week when the word got out that Apple had released fixes for 65 vulnerabilities in the iPhone4. In contrast, these vulnerabilities remain unpatched in the iPad, which uses an older version of the iPhone operating system. The sheer number of vulnerabilities, let alone the criticality of some of them (particularly the ones that allow unauthorized remote execution of rogue code as root) is a very significant issue. Unfortunately, so far Apple has not even taken the initiative to recommend a workaround for the vulnerabilities in the iPad until patches become available. iPads are, therefore, “sitting ducks” from a security perspective. To exploit the vulnerabilities, all a perpetrator must do is to lure an unsuspecting iPad user to a malicious Web site. At a minimum, therefore, Apple should by now at least have warned iPad users to be especially careful concerning the Web sites they visit until patches are available.

The black hat community has been increasingly focusing on exploits for Macintoshes over the last few years, and more recently much of its attention has also turned towards exploiting iPhone vulnerabilities. iPads are thus a natural next target, especially given that they are currently so vulnerability-riddled. There is nothing magic about Apple operating systems when it comes to security, either. Apple generally does a reasonable job in providing necessary security functions such as authentication and authorization, but will never will a major prize for security in its products unless it makes a sudden shift (as Microsoft did in 2002 with its trusted computing initiative).

This is the first in a series of blog postings on iPad security. I have no particular biases other than that I have too often observed that Macintosh and iPhone users too often assume that they need to do little or nothing for security in their computers because they “must be more secure than PCs.” Hang on and take a wild ride with me–we’ll both learn a lot!

* – ICC-ID stands for “Integrated Circuit Card Identifier.”

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.