For years, as a P.C. and Windows user and developer, I’ve been forced to listen to inane claims about the superiority of Mac/Linux/BSD/Gameboys because they “don’t get viruses because they’re better products.”  Now, I usually try not to allow myself to be incited to anger, or shame, but come on.  That’s like saying that Malta isn’t getting invaded because their security is top-notch.  The actual quality of Malta’s security notwithstanding, they don’t get attacked because there just isn’t a market for it. With Windows keeping its market share well over 85%, it’s little wonder that it’s the prime market for attacks and exploits. And, while I won’t argue that some of the choices they’ve made over the years haven’t affected the vulnerability, the real point is that there is simply more sensetive data to be gathered from Windows users, and more “research” done into the field of Windows hacking.

Enter the iPhone “virus.”  There are several blogs and articles talking about it, and it seems that a dull roar is arising of people clamoring that there is a horrible problem here, and they’re right… ish.  While certainly any security breech allowing an attacker not only complete control over and access to your data and device is a tremendous issue, you have to balance this issue with reason.  Charlie Miller, discoverer of the vulnerability, admonishes users not to jump ship yet — at best, would-be attackers are weeks away from a workable piece of malware.

“It’s extremely hard. It took me two-and-a-half weeks to write the code for this. If there were a bad guy who wanted to attach something like a virus to this exploit, it would realistically take a few weeks if not longer for them to carry it out.”

What this means to you is that panicking and turning off your phone right this instant is probably an overreaction; then again, with an apparent lack of response from AT&T about the issue, don’t just turn off the alarm in your head just yet. If this issue is not addressed, an event that yours truly finds just a bit unlikely, then yes, feel free to panic, scream, rant, rave, and yell at Customer Service all the live-long day until they address the issue, but don’t have a heart attack today.

Certainly, the scariest part of this issue is that you really don’t have to do anything for this to affect you; simply by having adopted, as almost all of us have, technology that uses the current SMS specification, your smartphone is vulnerable.  Keeping in mind a certain amount of concern, and certainly the response of major phone carriers and manufacturers over the coming weeks will be the gauge by which we measure this, it simply isn’t necessary to jump overboard… yet.

Now, I have to admit, I do take a small amount of sick pleasure in seeing an Apple product fall susceptible to an issue this potentially massive, if only to have the slight personal vindication of knowing the truth: Everything is vulnerable, given someone takes enough time to bother attacking it.  To this end, Dai Zovi warned at a Las Vegas security conference that “There is no magic fairy dust protecting Macs.” As they gain in market share, as they become more and more ubiquitous, they become more and more vulnerable.  According to Zovi, there is more code in the Mac OS than in Windows, something which provides would-be attackers with even more vulnerabilities to exploit.

Of course, at the end of the day, all this really means is that every user, no matter their OS or hardware choice, must exersize caution.  Thinking that you can’t be targetted by someone just because you use Product X is a ridiculous security plan that will only end in heartbreak.  To put it succinctly, for the desktop computing world, I Told You So.

As for the SMS vulnerability for smartphones, it’s in the hands of the big boys now;  We’ve trusted them to look out for us for some time, but the coming weeks will be a testament to how well founded that trust has been.  Here’s hoping we haven’t been just a bunch of lemmings.

Recent Entries

• Apache Taught You The Wrong Way To Think About Web Applications
• Adventures in Parsing: PHP’s implicit semicolon (‘;’) before every close tag
• The importance of ZVals and Circular References
• PHP Quirks – String manipulation by offset
• Let’s talk about your password model
• Pour Some Syntactic Sugar On Me: ‘Unless’ Keyword
• Arrays of Objects and __get: Friends Forever
• Did You Know? Class Visibility in PHP
• On Net Neutrality – A Plea
• Blankets – Nature’s Simple Truths

This entry was posted on Friday, July 31st, 2009 at 07:08 and is filed under Information Security, The Internet. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.