The iPhone Is Your Friend, Or Is That Enemy?

I know that this topic has been discussed before, but I am writing this one as a reminder to all the CISO’s out there that allow people to connect their phones to your corporate PC’s.

I do agree that in their default configuration iPhones aren’t exactly the most dangerous of devices to have on your network, however if you take the step to Jailbreak your iPhone, it opens up a whole new playing field.

After Jailbreaking my phone, the first things that I installed were nmap, metasploit, tcpdump and an application to enable my phone as a USB drive. This allowed me to gain access to a corporate network via wireless on my phone, and exploit a windows host in about 10 minutes, all from sitting in the lobby.

Also with a bit of scripting/or paid for applications, I was able to plug my iPhone into a PC and copy everything that was stored in the My Documents folder for that user. Some of this was company confidential data, some of it was personal photos and banking details.
Don’t get me wrong, I love my iPhone, but I believe that corporations should really take smart phones as a serious security risk, and not just write them off as phones. The age of a cell phone being just a cell phone is long gone now, and phones are easy to get into places and no-one bats an eye lid if you spend 10 minutes typing on your phone.

Next time you see someone sitting in a lobby working on their phone, remember this article, and ask yourself, what defenses do you have in place to protect against this threat?

Share
  • http://theledgeofknow.blogspot.com Lisha Sterling

    Someone sitting in a lobby working on their phone is, essentially, no different than someone sitting in a lobby working on their laptop. Any security system that is based on the idea that you are going to be able to keep wireless network connected devices away from your playground is not going to work.

  • http://www.ericgoldman.name Eric Goldman

    This has been a problem for years. In a study I worked on for iPod forensics, I set forth a scenario where someone could use a simple device like a regular iPod for nefarious reasons: Steal corporate data – thumb drives may be suspicious, but non-technical people may not know you could use it as attached storage. Another scenario hypothesized that a drug dealer could store records on an iPod like device because the police may never think to look for evidence on a music player.

    iPod Forensics Presentation:
    http://www.ericgoldman.name/security/17-forensics/38-ipod-forensic-investigation-techniques-presentation