The news is out! Steve Jobs’ ‘final iPhone design’ and ‘Apple project’: the iPhone 5 is about to flood the world! In fluttering anticipation, Brandon has been glued to the Apple feeds for the words to be uttered from the Moscone Center in San Francisco for its release date; most importantly, the iPhone 5’s preorder launch. Building an Applescript to refresh the Apple home page every 5 minutes and email him an alert of a hash delta, he assures himself that all is well in Cupertino. He’s been the first of everyone he knows to get the latest iPhone regardless of what critics say.
These little devices are dream machines and there is nothing that’s going to stop him from getting it – especially before anyone else in his circles. He uses it for home, work and just about everything – heck he even uses the square card reader so his co-workers can pay him back for the morning burritos he brings in every Friday. He’s got it all planned out… walking along the Apple store lines, showing off his pre-order receipt, blogging about his fantastic accomplishment, the dramatic unboxing (to be processed using Final Cut Pro) to be posted on Youtube. The utter glory of being an iPhone 5 owner!
Not wanting to be seen with an iPhone 4S as soon as the iPhone 5 gets into his sweaty palms, he has spent a couple of hours searching around Craigslist for the going rate of this newly deprecated device. He uses iTunes to backup all his iPhone data, backs up his backups using Time Machine and even uses an aftermarket utility to backup anything else that may get missed – just in case. So he isn’t worried about losing his data in the least.
Soon after the announcement, Brandon sees the Craigslist prices of the iPhone 4S drop each day as it gets closer to getting his pre-ordered iPhone 5 in. He knows he needs to sell it before it goes too low, even if he is without a phone for a day or so. He’d rather be without a phone if it comes to that. He quickly posts on Craigslist ‘iPhone 4S 64GB w/AppleCare like NEW $400’. He’s only dropped it once and that was some girl’s fault not his so it doesn’t count.
In about 35 minutes he gets a response from his Craigslist ad and agrees to meet up with the buyer in less than an hour at the local Carl’s Jr. parking lot (aka a well-lit, public place). He’s never had trouble but doesn’t want this to be the first meeting up so he doesn’t argue about the timing. Brandon was hoping he’d get a chance to wipe the device and restore it to factory default but the buyer assured him he was planning to jailbreak it and resell it anyway so the data would be lost one way or another. Since it was his only phone he didn’t have a way to contact the buyer at the parking lot in case there was a delay or other issue; so he just removed a few apps and that made him feel better. The buyer arrives and soon the deed is done. Brandon has the cold hard cash in twenties and is rid of the old thing.
Meanwhile the buyer looks down at the iPhone as he drives away with a gleam in his eye. There will be blood tonight.
What the buyer (aka the attacker) ends up finding on Brandon’s nearly complete iPhone is a myriad of information that he is careful to copy to his system ready to parse. Brandon even left his work email functioning (just set to off), his 1Password wallet was ‘1234’ and had a ton of login passwords. Aside from Brandon’s life about to hit the ethernet, Brandon not only presented his personal life and finances but also his employer’s.
Like many modern companies, his employer allows their employees to use their own communication devices and even offers a monthly stipend to alleviate their employees’ phone bills. What the company didn’t have was a way to monitor the data, where it was coming from and where it was going or even who was really using it. They figured their generic computer usage policy was enough to keep an honest man honest. What they didn’t figure on was that one of their high level engineers was about to sell their company data for a measly $400.
When enabling Bring Your Own Device (BYOD) policies to an environment it becomes an arduous process for those interested in information security because security has evolved into a neglected afterthought. All the ‘high levels’ want is for their employees to use what they already have instead of having to buy them something new and having to worry about replacement cycles, long distance bills, unintended charges, etc. They try to shift the onus to the employee so it becomes the employees responsibility. As you can plainly see in the end it doesn’t.