Mac security: mobile threats
Portable technology—laptops and iPhones particularly—come with their own special security risks. They can be lost, for starters. And iPhones can be made especially vulnerable if you jailbreak them. Here are some tips for keeping your mobile technology—and you—safe.
The Threat The difference between hacking an iPhone and jailbreaking one is one of semantics. It’s “jailbreaking” when we crack our own phone to run software and access parts of the operating system that Apple restricts, it’s “hacking” when the same thing is done by an someone else.
In either case, you’re breaking through the iPhone’s security. Specifically, you’re disabling application code signing. On a stock iPhone, every application is digitally signed by Apple. The operating system checks those signatures (which are based on strong cryptography) before it allows an app to run. Since the main goal of jailbreaking is to run your own unofficial applications, code signing is disabled.
Trouble is, once you’ve done that, your iPhone is vulnerable. It’s far easier for someone else to run arbitrary applications on your phone. The few malicious iPhone programs seen in the wild affect jailbroken phones only; we have yet to see any attacks that affect stock iPhones. (More than a few vulnerabilities have been reported and fixed for stock phones; none of them have been exploited in any widespread attacks—yet.)
Jailbreaking is also risky because all iPhones share the same root password. (It’s easy to find with a quick Web search.) In a stock iPhone, there’s no way to access functions where you would be able to use that password. But jailbroken phones often enable remote access to the phone using common network protocols such as SSH. If you jailbreak your phone and enable network access using SSH or another protocol, but don’t change your password, anyone can easily access your phone.
This is how the first so-called “iPhone worm” spreads. The program continually scans the network a compromised iPhone is connected to for other iPhones with SSH enabled. It then accesses the phone using the default password, and installs a version of itself on this other iPhone. And then it starts scanning for new targets. Without SSH, the default password, or the ability to run unsigned applications, this worm can’t spread. In other words, it only works on jailbroken iPhones with SSH installed and a known password.
What You Can Do As restrictive as official apps might sometimes be, they do offer far more security than those you install after cracking your phone. I personally kept my old iPhone 3G when I upgraded to a 3GS just so I could have a safe phone for jailbreaking; I don’t have any sensitive information on it and I’ve changed the default root password.
Lost Mac or iPhone
The Threat Macs and iPhones are beautiful, powerful bits of technology that are popular with consumers and criminals alike. While all cell phones and laptops are prime targets, Macs and iPhones are especially cherished. If a bad guy has to choose between a $299 netbook and a MacBook Air, the Air’s going first.
Losing a prized computing device is the hat trick of security failures: You lose the device, you potentially lose installed software, and you expose your stored personal data.
What You Can Do Preventing data loss (as opposed to data exposure) is an easy problem to solve. For Macs, stay up to date with system backups. Time Machine is included with OS X and capable of fully restoring a lost system.
If you’re worried about a burglar stealing your Time Machine backup drive, back up your backup system by using an online backup service. iPhones back themselves up automatically when synchronized using iTunes, and you can manually trigger backups at any time by selecting the phone in iTunes, Command-clicking, and selecting Back Up.
Preventing data exposure is more difficult. If you’re worried about losing a laptop, deploy good passwords and encryption. Make sure your Mac requires a password when waking from sleep or hibernation: in the Security preferences pane, on the General tab, select Require Password After Sleep or Screen Saver Begins.
You might also consider using FileVault to encrypt all of the files in your home directory. FileVault isn’t perfect, and can cause some problems with Time Machine and other backup software, but it’s free. It won’t stop a smart hacker, but an average criminal will probably just wipe your hard drive or sell the system; at least your data will be safe.
The iPhone has even more security options. In Settings -> General -> Passcode Lock, you can set a four digit code to access your phone and specify a time delay before it’s activated. If you are a MobileMe subscriber, you can also use the Find My iPhone feature to physically locate your phone using the GPS location, or trigger a remote wipe. The iPhone 3GS includes hardware encryption, but there are ways to circumvent it, so remote wiping is your best option.