Here’s a post from a week or so ago that I haven’t flagged previously. Cryptopath is discussing “iPhone PKI handling flaws.” The introductory paragraph is worth quoting in itself:
The iPhone is obviously a consumer market product which was later enhanced to become an enterprise device…
A later post from Dennis Fisher at Kaspersky from 2nd February quotes (at length) from Charlie Miller of Independent Security Evaluators. Some of the work ISE has done has been pretty controversial: in particular, the lab work on anti-malware testing for Consumer Reports.
However, Charlie casts a long shadow in Apple vulnerability research, and his summary bears repeating:
“You can make any part of the phone not work. You definitely don’t get to run code, but there’s lots of nasty things you can do. You can make applications not work, make it so that you can’t remove this config file,” Miller said. “At the very least, you can make someone’s day miserable.”
That may sound like the sort of stuff that will only interest the sort of hobbyist hacking you may not associate with enterprise-level technology usage. However, there are ways you can make money out of denying service. And the way in which attempts to exploit an issue with jailbroken iPhones escalated from trivial “pranks” to a functioning botnet indicates the way in which industrial-strength cybercriminals are always watching for a “business opportunity”.
David Harley FBCS CITP CISSP
Small Blue-Green World
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence