Monday, July 7, 2008

iPhone: Too high a price to pay?

Now that the marketing blitz and customer hype about the Apple iPhone are reverting back to more realistic levels there comes some not entirely unexpected news: yes the Apple iPhone has been hacked, as reported in the press. Word of this hack came less than 30 days after launch.

That the hack occurred is certainly no surprise. That it occurred so soon after its launch is also no major shock. But let's look beyond that single incident to larger issues on the horizon.

Does the iPhone hack portend that the long-anticipated assault on the security of mobile phones has arrived? Yes and no.

No, because there has been some, though not a lot of, malware "available" for mobile phones for almost three years (for example Cabir variants). Yes, because this will probably spark a far wider recognition among users that mobile devices are, in reality, smaller but nevertheless still complex computer systems, and not "merely" phones.

While relatively "dumb" digital mobile phones remain on the market, the new iPhone has a level of complexity that has not really been seen before in mobile phones. And for security professionals, complexity breeds insecurity. This hack of the new "in"-toy will almost certainly spark that wider recognition among users.

The bigger question that is begging to be asked concerns carriers' vendor interests versus those of their customers.

While most of Europe and Asia have open networks where customers can readily change operators based on pricing and offerings (and other aspects of vendor satisfaction desired by the individual customer), in the US, it is the carrier rather than the subscriber who wields the ultimate power. Phone numbers are now portable, but customers are forbidden to change networks without incurring a penalty.

The launch of the Apple iPhone brought this into stark focus with the realisation that the quid pro quo for getting your hands on this "object of desire" was to submit yourself to being locked into one carrier. Similarly, the subsequent launch into Europe, with Apple taking a revenue share from the exclusive operator in each territory, raises this question: are European networks set to become less, not more, open?

With the need to generate revenue and in the scramble to secure the rights to the device that is redefining the mobile user experience, both the networks and the devices themselves are being increasingly locked down, which seems to be flying in the face of what the customer actually wants and expects. It is neither a good, nor sustainable, position for the carriers to be in.

As increasingly advanced mobile technologies herald a new level of complexity and feature sophistication, what does this mean for the future of open phones? Customers are growing tired of closed phones, where only carrier-approved applications can be downloaded, and those customers are increasingly unwilling to pay the high prices charged by the carriers. Customers want open phones where they can load whatever applications they want on to them, and to get those applications from vendors of their choosing.

The debate has even reached the US Congress. Following the launch of the iPhone in July, the house subcommittee on telecommunications and the internet criticised AT&T for locking buyers into an exclusive contract and charging a termination fee for those who want to switch early. AT&T's $175 (�86) fee leaves iPhone owners even more out of pocket as the phone won't work on any other network and they bought it at full price - phone operators use the fact that they give away handsets to justify termination fees.

One must now wonder if any moves by European operators to lock in subscribers and limit choice and access will fall foul of European Commission regulators.

Ultimately, however, it will come down to the one group that has the ultimate decision-making power: the subscriber. Will consumers be willing to trade openness and choice for the gadget of their dreams?

- Tim Mather is chief security strategist for RSA Conferences.
source: http://www.securecomputing.net.au
Phone news

No comments: