In the offseason, several NFL team moved their coveted playbooks to electronic form using iPads. They are relying heavily on iOS security to protect their team secrets. Could somebody hack into an iPad and steal a playbook? Well, it depends. It depends on how well the overall security framework is setup around the iPad iOS and applications involved in reading the playbook.
Primary Areas of Risk
1. Physical Security -- If you lose your iPad and a bad guy finds it, it's game over. There are some ways to protect your data which I will get to shortly. You say "remote wipe." Sure, if it's on and within wireless network range.
2. Malware -- The "first" for iPad was discovered this summer in the Apple app store (I quoted "first" because I find it suspect). In July, Kaspersky found a malicious app in the iOS app stores called "Find and Call." The malicious app uploaded users contacts, then sent each contact an SMS message including a link to download the app.
3. Operating System Vulnerabilities -- Humans make mistakes. These programming mistakes become operating system vulnerabilities which are exploited by threat against (hackers). This summer, Apple released iOS 5.1.1, which addressed three vulnerabilities found in iOS/Safari that allowed a hacker to establish a man-in-the-middle attack. In a man-in-the-middle attack web traffic is intercepted, read and likely save by a third party. The entire time end users (you) have no idea all your traffic is being read and recorded.
4. Application Vulnerabilities -- Programmers are human, too, and there are likely undiscovered vulnerabilities in apps at the Apple store. Once a vulnerability is found, it will be exploited and used to steal information from iPads. Our team of ethical hackers does this for a living and there are all kinds of vulnerabilities a scanner won't find in code.
5. Unencrypted Transmission -- The free unencrypted Wi-Fi at Joe's Coffee is a huge risk. Information packets transmitted by your iPad can be intercepted and read by a hacker. Even some encryption (WEP) can be compromised fairly easily.
Protect Your Data
1. Don't lose track of your iPad -- To protect against an accidental misplacement, require a passphrase which also encrypts data saved on the device. iPad's use hardware encryption by default which is enabled via the pass code. If an attacker compromises the pass code (or jailbreaks the device) they will get most data on the iPad. If they can't easily get pass your pass code, they can Jailbreak the device and brute-force the pass code. Then all your data is exposed. Enforce the use of complex pass codes. No, 1234 won't cut it. Use numbers, lower and upper case letters and symbols in your password. Preferably 10 digits in length and not easily guessable.
2. Enable auto wiping of device data -- Set the device to wipe data after 10 failed attempts to log in.
3. Make sure the operating system and applications are upgraded as soon as vulnerabilities are patched -- Not doing this will leave your device vulnerable to exploitation.
4. Establish a VPN connection when using Wi-Fi.
5. Manage the iPad with a Mobil Device Management (MDM) solution -- This will allow more control over how the device behaves. MDM will enable you to do things like whitelisting apps before they can run on the iPad.
6. Consider using your device as a terminal and not storing any data on it -- Store all the data on a secure server and remote in as needed.
Brett Kimmell is the manager of the risk management practice at SecureState.
This story, "Don't Fumble iPad Security with an NFL Playbook" was originally published by CSO.