By Julian Bajkowski
One of Australia’s leading computer security researchers has hit out against the popular notion that iPads and iPhones are more secure than their competitors, comparing the unswerving faith of Apple fans to the cult of Scientology.
Speaking at the Security In Government conference in Canberra, the director of Edith Cowan University’s Security Research Centre, Professor Craig Valli said that when one of his researchers, Peter Hannay, revealed a potential security exploit for Apple’s iOS operating system at a computer conference in Las Vegas it resulted in “angry Apple-ites chasing him afterwards; they seemed very upset that [the new vulnerability had been revealed].”
“It’s almost like Scientology,” Prof. Valli joked in a talk that challenged whether mobile devices and smartphones were safe to use in government without security hardening.
He said that the exploit that was demonstrated took advantage of poor digital certificate handling in Microsoft Exchange. It worked by pushing out a fake certificate to mobile devices through a wireless access point that could be set up to attract users at events like conferences who hunted for the best signal.
“You get super user, or administrator or root level access on the device, so you can take anything,” Prof. Valli said.
He defended the exposure of the vulnerability as legitimate security research that followed the established protocols of alerting hardware and software makers to newly found vulnerabilities before publishing them.
“We did this properly too, we didn’t just drop it at Defcon, we actually escalated it up through CERT [Computer Emergency Response Team] that then passed it out to the vendors,” Prof. Valli said.
“The vendor response from Apple was ‘we don’t care it’s a Microsoft product’.”
In the case of the exploit working on devices running Google’s Android mobile operating system – which runs on devices from a wide range of manufacturers – it was far less clear who to ask to fix holes.
[With] Android, who do you ask, seriously?” Prof. Valli said.
While the dig at Apple’s revered status with fans by Prof. Valli was primarily directed at federal smartphone users and security managers, the comments have wide-ranging implications for state and local government managers who increasingly have to manage employees that insist on connecting their own devices to work networks.
Prof. Valli said that a good starting point for security managers looking shut potential exploits in Apple devices was the Defence Signals Directorate’s guidelines for iOS hardening.
He suggested that those responsible for security in government needed to firmly question what risks came with trends like bring-your-own-device, including saying no to the ad-hoc attachment of new devices to workplace networks.
“Ask the question: what are the security implications of this device? If you get shoulder shrugged [and told] ‘I don’t know’ tell them to take it away,” Prof. Valli
The security expert also took a swipe at the increasingly heated debate around highly controversial new data retention laws that have been proposed by the government.
“What makes me laugh about that whole thing is that I’d rather trust the Australian government with my information than Google or Facebook. People forget about that. Not many people have read the Google Plus rights and conditions and yet they are railing against the government storing this stuff when corporations are doing it everyday” Prof. Valli said.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter