It was bound to happen. Hacking into Apple's iPhone via its Web browser shouldn't surprise developers (see "Security Firm: iPhone Can Be Hacked" at www.electronicdesign.com,ED Online 16177). The iPhone is based on Apple's OS X operating system and applications, which have tended to draw less fire from attackers
than Windows. But large systems are bound to have holes.
Most developers don't have to contend with the iPhone yet. Yet the number of
new networked devices, especially wireless
devices, is growing rapidly. The need for
improved security is growing as well. The big
question is whether developers are learning the
security lessons or whether such flaws remain
somebody else's problem (see "iPhone Hack:
Security Lessons Learned," ED Online 16196).
Products like Green Hills Software's Integrity and Lynuxworks' LynxOS have
been pushing Multiple Independent Levels of Security (MILS) and Evaluation Assurance
Level (EAL) security, but mostly in military applications (see "Platforms
Strive For Virtual Security," ED Online 10813). These standards are equally
applicable to most embedded applications. Unfortunately, virtual-machine partitioning
like that provided by Xen and VMware has been used to just isolate operating
systems (see "Virtualize The Operating System," ED Online 9840).
In many cases, though, the ability to securely
partition a system is available, but developers
and users don't take advantage of these features. In fact, the problem with the iPhone was
that all applications ran as the superuser, root.
Linux users are probably familiar with the National Security Agency's (NSA)
SELinux, which provides a more sophisticated security system than stock Linux.
It's standard fare for distributions like Red Hat's Enterprise Linux (RHEL).
Of course, it always comes down to using these features. I happen to run CentOS,
a fully open-source version of RHEL that also incorporates SELinux. Unfortunately, I
don't even take advantage of the SELinux features, though my root password does
tend to be over 20 characters.
Part of the issue is management tools. SELinux tools are always improving, and
applications are finally gaining some support. On the other hand, few embedded
Linux distributions or other embedded operating systems even come close to Red
Hat's support.
Unless developers start weaving security into their work, system security breaches will only get worse. That's not a good thing for the customer. Meanwhile, the
iPhone will have a long and useful life. It will be interesting to see if it and other
wireless platforms will be safe and secure as well.
Apple • www.apple.com
CentOS • www.centos.org
NSA SELinux • www.nsa.gov/selinux
Red Hat • www.redhat.com
See Associated Figure