iPhone/iPad Security & Travelling Tips
In July 2013, researchers at Georgia Tech Information Security Center (GTISC) developed a technique whereby an iPhone/iPad can have all sorts of malware installed on it, simply by attaching it to a tiny computer. Such a computer/cable could be easily made to look like a normal charging cable.
Although this sounds like an unlikely mechanism to attack your iDevice, and in any case in iOS 7 this weakness has been locked-down to an extent (see below), it highlights one of the so-called Immutable Laws of Computer Security: namely, that if a bad guy can get his hands on your device, however briefly, it's not your device any more. In other words, the physical security of the device is as important as the software security. All the PINs, passwords and encryption in the world won't help if it's possible to inject malicious software onto a device simply by attaching a cable.
Within Australia, this attack vector is not a great risk. But overseas is another matter. People who travel for work should be very mindful of what happens to their device. If you operate in any sort of sensitive industry, even something like a non-defence, non-technology trade industry, there are going to be competitors, or even Governments, who want to know what you're up to, and have access to your private correspondence. Even leaving your phone in your hotel room while having breakfast could leave your device susceptible to being compromised during that short window.
Having the phone stolen is now no longer the only risk. A stolen phone can be remotely wiped and the various services it connects to (corporate email, intranets) disabled. But if your phone is compromised without your knowledge, it may be months before this is discovered, and untold secrets leeched from it.
Supposedly these sorts of attacks are already happening:
- High-level guests at the G20 were given various electronic gadgets — the type of corporate gift anybody who has attended a conference will be familiar with — which attempted to perform exactly this type of spying. Whether this particular story is true (and the veracity is hard to confirm), there is no doubt this hypothetical attack vector will increasingly become an actual attack vector.
- There are claims the United States' National Security Agency has technology which captures information from iPhones, although it appears to have been from several years ago and it's hard to gauge whether such software would work on modern versions of iOS. But in any case, installing the software would almost certainly require physical access.
There is an immense amount of corporate data stored on smartphone/tablet devices and it's an irresistible attraction for hackers and corporate espionage.
Therefore, safety tips for device security while travelling (especially internationally):
- Never leave the device alone; always have it with you;
- If the device is stolen, inform your IT service provider immediately, even if you're in a different timezone;
- Never use a public charging station;
- Always use your own charging cable, and power adaptor;
- Wherever possible charge the device from your laptop, not the wall;