It was bound to happen. Hacking into Apple's iPhone via its Web browser shouldn't surprise developers (see "Security Firm: iPhone Can Be Hacked" at www.electronicdesign.com,ED Online 16177). The iPhone is based on Apple's OS X operating system and applications, which have tended to draw less fire from attackers than Windows. But large systems are bound to have holes.
Most developers don't have to contend with the iPhone yet. Yet the number of new networked devices, especially wireless devices, is growing rapidly. The need for improved security is growing as well. The big question is whether developers are learning the security lessons or whether such flaws remain somebody else's problem (see "iPhone Hack: Security Lessons Learned," ED Online 16196).
Products like Green Hills Software's Integrity and Lynuxworks' LynxOS have been pushing Multiple Independent Levels of Security (MILS) and Evaluation Assurance Level (EAL) security, but mostly in military applications (see "Platforms Strive For Virtual Security," ED Online 10813). These standards are equally applicable to most embedded applications. Unfortunately, virtual-machine partitioning like that provided by Xen and VMware has been used to just isolate operating systems (see "Virtualize The Operating System," ED Online 9840).
In many cases, though, the ability to securely partition a system is available, but developers and users don't take advantage of these features. In fact, the problem with the iPhone was that all applications ran as the superuser, root.
Linux users are probably familiar with the National Security Agency's (NSA) SELinux, which provides a more sophisticated security system than stock Linux. It's standard fare for distributions like Red Hat's Enterprise Linux (RHEL).
Of course, it always comes down to using these features. I happen to run CentOS, a fully open-source version of RHEL that also incorporates SELinux. Unfortunately, I don't even take advantage of the SELinux features, though my root password does tend to be over 20 characters.
Part of the issue is management tools. SELinux tools are always improving, and applications are finally gaining some support. On the other hand, few embedded Linux distributions or other embedded operating systems even come close to Red Hat's support.
Unless developers start weaving security into their work, system security breaches will only get worse. That's not a good thing for the customer. Meanwhile, the iPhone will have a long and useful life. It will be interesting to see if it and other wireless platforms will be safe and secure as well.
Apple • www.apple.com
CentOS • www.centos.org
NSA SELinux • www.nsa.gov/selinux
Red Hat • www.redhat.com
