OSX Doomsday: One Week Away

Apple will release their highly-advertised and highly-coveted iPhone a week from today. With all the clamor about how nifty it is, I think it’s time for a reality check. And I don’t mean how much an iPhone will cost upfront, or how owners and users will be locked into multiple subscriptions (AT&T will require a two-year service contract, Apple will require iTunes subscription, etc.).

I mean, How secure is OSX.

Apple products, aside from iPod, have never garnered enough use to warrant the kind of onslaught Windows has faced from hackers. I think iPhone is about to change that.

Why do people rob banks? That’s where the money is. Hackers attack Windows because of its prevalence. It helps that it’s historically been so vulnerable to system compromise, but it’s not attacked simply because it’s vulnerable. Windows is hacked because it dominates desktops, laptops, and has a sizable share of other devices like phones and PDAs. Hackers generally don’t target OSX because 5% of the market — and it’s actually a lucrative 5% of the market given Apple’s demographics — isn’t worth the hassle when 95% of the market is awash in Windows. Windows is where the money is.

If iPhone really is all the rage, suddenly mobile phones running OSX become a legitimate target. That can change the dynamics because all of a sudden Apple will have their OS on devices in a lot of hands, which means hackers will have more reason to probe and exploit vulnerabilities in OSX.

And for the same reasons they attack Windows computers.

Many people already use smartphones for managing the content of their lives. Banking transactions can be carried out via Java applets. Other personal data are transmitted. Some of it’s encrypted. A lot of web use, though, isn’t.

Apple has yet to address questions about security related to iPhone. So has AT&T. The only articles I found in searching for those company names along with iPhone and security this morning relate to stepped up loss-prevention in AT&T and Apple stores next week. I haven’t found very much about securing data on iPhones or across networks.

Most of the security articles I’ve found about iPhone, in fact, deal with how IT professionals are implementing policies about iPhone use on their networks. In many cases, they’re pre-emptively banning them from their networks.

Aside from bashing Microsoft in silly ads, Apple doesn’t have much experience with security. They’ve lived in their sheltered world with a comfort that comes from a small slice of the market, not from inherently safer code. The release of Safari for Windows — yes, I know it was pre-beta — shows that they’re not on the ball. To their credit, they released their first security patches within 96 hours. But Apple won’t get away with reactive security on mobile devices like that.

I linked to articles about Dino Dai Zovi’s nine-hour pwn of a MacBook at CanSecWest (see Apple Sucks). It took people like Aviv Raff and Thor Larholm less time to find holes in Safari for Windows.

With the iPhone, there will be a lot more eyes looking for exploits in OSX. The exploits are already there.

The iPhone could very well turn into the iPwn.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: