Apple has unveiled the latest iPhone and the latest enhancements, including a new biometric security offering called Touch ID. In addition, Apple confirmed that iOS 7 will be released later this month. So will Apple's newest offerings have any impact to corporate security?
On Tuesday, Apple announced the iPhone 5S and the iPhone 5C, two devices that will replace the iPhone 5. However, while the consumer market will have their own opinions and thoughts on the latest Apple offering, the IT community is paying attention for different reasons. Tuesday's announcement from Apple's HQ in Cupertino, California also discussed iOS 7 and the biometric security offering, Touch ID.
During Apple's launch event, Phil Schiller, the senior vice president of worldwide marketing, said that passcodes were too cumbersome for some people. "In our research about half of smartphone customers do not set up a passcode on their device, and they really, really should," he remarked.
More on Apple's iPhone 5S and iOS7:
- Apple's iPhone 5S presents more questions than answers for businesses
- Apple's iOS 7 gives security pros a lot to like
One of the largest risks in a BYOD program is the lack of overall management and data protection; this is why passcodes are the default security setting applied to most devices. It isn't full proof, but passcode enforcement is a solid building block. Yet, without enforcement, most device users skip the passcode, for the same reasons Schiller mentioned.
In order to address this issue, Apple used the technology acquired when they paid for $356 million for AuthenTec (a company that focused on identity management and fingerprint sensors) last July, to offer consumers a "key you have wherever you go. Your fingerprint," Schiller said.
The fact that Touch ID will do more than just unlock the device, as it can act as a secure authentication mechanism for other iOS-based apps, as well as acting as a link to a user's Apple ID &mdash enabling purchases from the various Apple stores (iTunes, App Store, iBookstore), sparked plenty of debate online.
On Twitter, many of the reactions were focused on privacy issues, and others debated how effective Apple's implementation of biometrics would be in the long term. At issue is the fact that laptops have had biometrics for some time, and they are rarely used.
Others raised the point that biometrics were not considered when existing mobile management offerings were put into place, so there will need to be costly (in money and time) adjustments made. Apple, for their part, explained that the fingerprints used by the iPhone 5S would be encrypted and stored on the device's A7 chip, and not on a server somewhere in the iCloud.
Marcus Carey, inventor at Threat Agent, a company that provides security professionals with applications to do security assessments and training, pointed out on Twitter that the security industry needs two-factor authentication and biometrics. Instead of arguing, he said, security professionals "should be thinking how you could leverage built in Biometrics in iOS to help secure your data."
But building ways to implement biometric data protection on top of authentication may be difficult unless Apple opens up. In a statement, the Fast Identity Online (FIDO) Alliance, said that while Apple's announcement raises awareness around strong authentication, it amounts to little more than "just another proprietary authentication solution, no different from terrific authentication solutions already in the marketplace."
"No matter how good an authentication solution may be, Apple's or any others-until there are open standards for interoperability, the backend and the need for federated identity cannot be addressed, and nothing really changes."
The risk associated with Apple's new identity feature is one that will need to be followed and examined as time goes on, but with an influx of new iPhones coming to the network, administrators and security minders will need to act sooner rather than later.
The key takeaway for many actively working in the field is that Apple's offering is a start, and if it helps with the existing problems surrounding authentication, then that's a good thing. The tick will be making it work with whatever's already in place on the network.
With iOS 7 coming, should jailbreaking be a worry?
Years ago, security managers and network administrators worried about iPhones because some users were jailbreaking their devices. Initially, the number of people with jailbroken devices was small, but once the concept took hold, others started doing it, but forgot to take basic security precautions, opening themselves (and in some cases their employers) up to increased risk.
With a new iOS release coming, the topic of jailbreaking is back in the spotlight. Already, a private jailbreak for iOS 6.1.4, running on an iPhone 5 has been demonstrated, but it hasn't been made public. With the latest version of iOS coming later this month, the 6.1.4 jailbreak is unlikely to be released, but its existence proves that the jailbreaking community is alive and well.
Earlier this year, in just four days, 7 million of Apple devices were jailbroken by consumers using the Evasi0n tool.
Jailbreaking happens because people want more from their devices, and providers like AT&T and Verizon maintain strict environments and application controls. This situation doesn't account for the needs of the business when it comes to BYOD, complicating things some for organizations that demand or require controlled devices.
Speaking to CSO, Jay Freeman, the administrator for Cydia (the app store for jailbroken devices), when asked his opinion on jailbroken devices in a corporate setting, said that the general concerns are somewhat misplaced.
"In a corporate setting, I think that people are overly concerned about jailbroken devices and not sufficiently concerned about jailbreakable devices," Freeman told us.
"The concern is that the device is jailbreakable. It not being jailbroken yet doesn't help [emphasis his]. In fact, if you jailbreak it, you might be able to install security patches, or other hardening features, on the device that will keep it from being attacked later."
Existing mobile device management solutions will do little to stop jailbreaking, if they can stop it at all, Freeman explained when asked about such a protection.
"I have never heard of an MDM solution that could somehow prevent a jailbreak. And the concept of detecting a jailbreak from an app is fundamentally flawed as you are at the same privilege layer as the attacker (but play your hand later), so you will lose."
When asked about the timing of jailbreaks in relation to iOS releases, Freeman pointed CSO to a post of his on Reddit, where he commented on how complicated the process can be. While many believe that jailbreaking a device is as simple as exploit-and-go, the reality is completely different.
Previous widely publicized jailbreaks relied on "userland" exploits — or bugs that exist in software (such as a browser). The problem is that this created a cat-and-mouse game with Apple and the jailbreaking community. They'd discover weakness and jailbreak devices with it; Apple would patch that flaw and prevent the same trick from working again.
The iPhone4 was the last Apple device to be permanently jailbroken. But the existence of userland bugs created a misunderstanding when it came to the difficulty of jailbreaks and how they related to firmware updates.
"These userland jailbreaks require multiple bugs, and one of the bugs has to be in the kernel (in order to deactivate the codesign protection). Meanwhile, Apple has stepped up their game, adding stronger protections like kernel ASLR. This means that the jailbreak community is working with a dwindling supply of "known bugs," has more complex challenges being faced to exploit these bugs, and operates under the knowledge that any new OS update fixes everything," Freeman wrote.
So with the pending release of iOS 7, following a beta where developers had access to the code for a short time, the notion of a jailbreak for it is still in the air. It will take some time however, as Freeman said that in general the jailbreak community doesn't work with beta software for either development work or exploit finding.
"Apple betas tend to be a seriously moving target. Things that don't affect developers or that aren't 'risky' thereby tend to end up in later betas, and bugs that are present early are often just temporary as Apple is 'still working on it'," he said.
Elsewhere, there is speculation that Apple's new 64-bit architecture could lead to new exploits that are focused on specific bugs in the kernel or software. The downside is that such a change will also break many of the existing jailbreak extensions.
"My opinion is that it will make little or no difference in terms of security, vulnerabilities and exploitation. All the difficult parts about jailbreaking will remain as difficult but not more so than before. In terms of actually packaging a jailbreak for mass consumption, it'll be a PITA to support an entirely different instruction set, but that's just a question of engineering," commented on user to the Reddit thread.