Security Firms Can't Protect iPhone From Threats 137
nk497 writes "F-Secure researchers are calling attention to the fact that it's impossible to run third-party anti-virus on iPhones, because the SDK doesn't allow for it. It's a problem, as they claim malware will start to target the phone. 'None of the existing anti-virus vendors can make one, without help from Apple,' chief research officer Mikko Hypponen said. 'Apple hasn't been too interested in developing antivirus solutions for the iPhone, because there are no viruses, which of course, isn't exactly true.' At the moment, the only worms faced by the iPhone have targeted unlocked, jailbroken devices — so Apple's not too bothered protecting users of such phones." While Apple claims that the iPhone's closed nature offers protection to its users, and security vendors maneuver for a piece of a market now closed to them, clearly both sides are pushing their own self-interest.
It's closed so it's perfect (Score:4, Insightful)
And it's from Apple.
So it's doubly perfect. It's not like Mac OS has any security problems either.
So nothing to see here.
Re:F-Secure smells money (Score:3, Insightful)
Yep, if they are worried, just push it out to Cydia. Of course most (before someone comes whining, I did not say all!) of the users with jailbroken phones use pirated software, so there's no money in that.
FUD (Score:2, Insightful)
For those new to the internet, that would be Fear, Uncertainty, and Doubt. This sort of garbage would be a pretty classic example of it.
Re:F-Secure smells money (Score:5, Insightful)
What I think is most telling about that quote is how an AV company has blurred the distinction between a "virus" and what basically amounts to a default password security hole. Sorry, but how does that make me want to trust you to run software on my device if you don't care to demonstrate you know the difference between these two types of attack?
The only reason why the jailbroken phones were vulnerable was because the default SSH password was not changed. No amount of AV is going to protect against a user's stupidity. This statement by F-Secure is about the money-making opportunity they're dying to exploit, and they're clearly riding the wave of negative publicity surrounding the closed platform nature of the iPhone.
Re:It's closed so it's perfect (Score:2, Insightful)
The mac OS is not as closed as the iPhone, which is why it is more vulnerable.
News at 11 (Score:4, Insightful)
Re:It's closed so it's perfect (Score:5, Insightful)
Look at it the other way: it's perfect, until it's not closed.
What I mean is that Apple is doing the right thing. They should continue to deny anti-virus vendors from selling their warez, at least until there's a proven threat. And so far, there are none. From Apple's viewpoint, it's a great marketing tool to be so confident in their security that they won't compromise it by letting AV software on the platform. And for everyone who knows just how crappy AV software usually is (and how bad it drags down performance) it really is good news.
Seriously. As long as Apple keeps patching the holes the jail breakers use (which they seem to do within days) there simply are no credible threats. Oddly enough, this means the jail breakers are actually their best allies, in that they absolutely have the strongest motivations to hack the iPhone; and since their jailbreaks must necessarily be public to be useful, Apple can keep in lockstep with them.
That also means Apple must continue to keep it tightly closed, and never permit leaky crapware like Flash to run on it. Which indirectly benefits the rest of us, as that means sites that want to play nice with iPhones may provide usable Flash-free alternatives. We can hope, anyway.
Security Through Obscurity Never Works (Score:3, Insightful)
"While Apple claims that the iPhone's closed nature offers protection to its users"
Phones must not need anti-virus (Score:5, Insightful)
Going further, I have absolutely no patience with people who hack iPhones. A phone is an appliance connected to a public asset - EM bandwidth. People using public assets have a duty of care, and it's the failure of duty of care (tragedy of the Commons) that has done a lot of damage to society.
What I do on my own local network is my affair, but I think increasingly we should have a reasonable expectation that anything connected to a public network is properly secured and maintained, just like (in the UK at least) we test cars annually to check they are safe on the road. I'm afraid that the Wild West days of the Internet are increasingly over - and the excesses of some people is bringing down an overreaction.
Over the next 20 years we have to find a way to put the genie back in the bottle without killing the genie or spoiling the bottle. The politicians will try to screw this up. But the rest of us need to realise that we need to grow up too - we need to understand that if we want a reliable public internet and mobile phone system, we need to stop treating people who act irresponsibly as if their behaviour was acceptable or clever. Otherwise anti-virus and anti-malware software will continue to eat up too many of our CPU cycles, shorten the lives of our hard drives, and cause increasing frustration to those of us who actually need to earn a living, and have to use the Internet and the phone system to do it.
Re:No mechanism for transmission (Score:3, Insightful)
LoB
The iPhone is running windows? (Score:4, Insightful)
I thought it was running some form of Unix/Linux sort of OS.
I realize these modern day snake oil salesmen have convinced corporate America that their product is effective against all viruses on all platforms. However if you look at the definition file that they install on all the systems you'll see that the signatures list which platform they're for. I was curious so I greped the file. Turns out that while there's hundreds of thousands of windows definitions in the file there's only tens for linux and fewer for sun.
When pressed on this they'll tell you that they look for all those viruses so they arn't passed by the ftp/http/mail server on the unix box. While there's some merit to this position I don't see how it's at all relevant to the iPhone.
Re:I see an opening for Android... (Score:2, Insightful)
A) No real way to get it to work on non-jailbroken iPhones.
B) The fact that every iPhone worm worked because of having SSH running with a default password that is basically equivalent to going to Defcon with a laptop with a stickynote saying "Username is user password is alpine" of course things are going to turn out badly. Everyone knows what the default SSH login is on iPhones (alpine) and when there are thousands of them running with the same password why are people surprised when bad things happen?
C) It is a lot easier to make a virus for Android than the iPhone.
"Whaaaaaa!" (Score:3, Insightful)
That's all I hear.
Re:It's closed so it's perfect (Score:4, Insightful)
It's false for anyone to claim that there are any active worms or viruses on iPhone. The reported worms don't target the OS but rather the fact that users are (1) explicitly installing OpenSSH and (2) not changing their default passwords. Any machine at all that is on the internet with a known root password is vulnerable. It's similar to buying a router and leaving the password at "password." Is this a flaw in the router or the user?
Re:F-Secure smells money (Score:4, Insightful)
I love how everyone pretends that recent trojan targeted "jailbroken" iPhones.
It didn't. It targeted stupid users who happened to have a jailbroken iPhone. Specifically, it targeted users who install OpenSSH without changing the default password (ignoring warnings to the effect). There's no vulnerability here, and a stock jailbroken iPhone is not vulnerable. The same exact kind of malware can affect every poorly configured UNIX system out there - for example, that router-based botnet that infected routers with default SSH passwords running Linux. There are tons of Linux rootkits out there too, and servers with poor passwords are rooted all the time. Does that mean we urgently need craptacular AV software on all Linux boxes?
On the other hand, it is true that a non-jailbroken iPhone has an extra layer of protection in the form of compulsive executable signing. Apple ostensibly has superior security (in non-jailbroken devices), but that's just because they lock down the device tight. It's "good" old Trusted Computing, the kind that does not trust the user. By jailbreaking the device, you're freeing yourself from nanny Apple's oversight. If it turns out you were better off with it, well, that's your own fault.
Re:It's closed so it's perfect (Score:3, Insightful)
If Apple opens up the iPhone to allow third-party anti-virus programs to run, guess what will happen? All of a sudden there will be viruses for the iPhone. Gee, I wonder why Apple doesn't want to do that?
No sympathy from me for people using hacked iPhones and getting trojans since they knew the risks when they hacked it.
Neither do game consoles! (Score:3, Insightful)
Seriously, this is news for nerds? Some morons jailbreak their phones, leaving SSH with a default password, they get hacked, and suddenly A/V firms think they have an "in"? You could install every A/V program on the planet on a windows PC, but if you install SSH with a default password, it will still get hacked.
Re:It's closed so it's perfect (Score:5, Insightful)
This entire thing is just laughable. "we can't write A/V software for your product because no one can write software for the iphone that is, or that stops, viruses". So, they're asking Apple to create the problem, which they will then be able to sell a fix for.
Just HOW stupid do they think we all are?
The only people right now that have any use for antivirus or antimalware software for their iphone are those that have jailbroken them, in which case they could also install and run AV software But there's not a big enough market for that at this point. If they really wanted to write it, they could, right now. There's just not enough profit in it yet.
Re:It's closed so it's perfect (Score:3, Insightful)
AV Vendors please go back to the windows desktop PC where you came from.
And a portion of the irony here is that this is partly the reason that windows has such a virus and malware problem. "We want the mac platform to be just as exploitable as the windows platform, so we can profit from it too."
Uh... NO . go away.
Re:F-Secure smells money (Score:3, Insightful)
No amount of AV is going to protect against a user's stupidity.
And no amount of AV is going to protect against vendor/distributor stupidity either. Here we have a program, running on a non-firewalled device, which on install, instead of being non-functional, opens up to the whole world with a default password. This is not the 1990's people! In this day and age, I expect a program to be secure by default... whatever it takes, even if it means it is non-functional at install.
I actually have a jailbroken iphone on which I installed openssh. When I logged in I immediately realized the risk I was running and changed the password. However, between the time of installing openssh on my iPhone and the moment I changed the password there was at least a period of 5 minutes in which people could have hijacked the machine. Unforgivable. This distributor should be ashamed of himself.