I know that this topic has been discussed before, but I am writing this one as a reminder to all the CISO’s out there that allow people to connect their phones to your corporate PC’s.

I do agree that in their default configuration iPhones aren’t exactly the most dangerous of devices to have on your network, however if you take the step to Jailbreak your iPhone, it opens up a whole new playing field.

After Jailbreaking my phone, the first things that I installed were nmap, metasploit, tcpdump and an application to enable my phone as a USB drive. This allowed me to gain access to a corporate network via wireless on my phone, and exploit a windows host in about 10 minutes, all from sitting in the lobby.

Also with a bit of scripting/or paid for applications, I was able to plug my iPhone into a PC and copy everything that was stored in the My Documents folder for that user. Some of this was company confidential data, some of it was personal photos and banking details.
Don’t get me wrong, I love my iPhone, but I believe that corporations should really take smart phones as a serious security risk, and not just write them off as phones. The age of a cell phone being just a cell phone is long gone now, and phones are easy to get into places and no-one bats an eye lid if you spend 10 minutes typing on your phone.

Next time you see someone sitting in a lobby working on their phone, remember this article, and ask yourself, what defenses do you have in place to protect against this threat?