Don't Fumble iPad Security with an NFL Playbook

In the offseason, several NFL team moved their coveted playbooks to electronic form using iPads. They are relying heavily on iOS security to protect their team secrets. Could somebody hack into an iPad and steal a playbook? Well, it depends. It depends on how well the overall security framework is setup around the iPad iOS and applications involved in reading the playbook.

Primary Areas of Risk

1. Physical Security -- If you lose your iPad and a bad guy finds it, it's game over. There are some ways to protect your data which I will get to shortly. You say "remote wipe." Sure, if it's on and within wireless network range.

2. Malware -- The "first" for iPad was discovered this summer in the Apple app store (I quoted "first" because I find it suspect). In July, Kaspersky found a malicious app in the iOS app stores called "Find and Call." The malicious app uploaded users contacts, then sent each contact an SMS message including a link to download the app.

[5 questions to ask about tablet security]

3. Operating System Vulnerabilities -- Humans make mistakes. These programming mistakes become operating system vulnerabilities which are exploited by threat against (hackers). This summer, Apple released iOS 5.1.1, which addressed three vulnerabilities found in iOS/Safari that allowed a hacker to establish a man-in-the-middle attack. In a man-in-the-middle attack web traffic is intercepted, read and likely save by a third party. The entire time end users (you) have no idea all your traffic is being read and recorded.

4. Application Vulnerabilities -- Programmers are human, too, and there are likely undiscovered vulnerabilities in apps at the Apple store. Once a vulnerability is found, it will be exploited and used to steal information from iPads. Our team of ethical hackers does this for a living and there are all kinds of vulnerabilities a scanner won't find in code.

5. Unencrypted Transmission -- The free unencrypted Wi-Fi at Joe's Coffee is a huge risk. Information packets transmitted by your iPad can be intercepted and read by a hacker. Even some encryption (WEP) can be compromised fairly easily.

Protect Your Data

1. Don't lose track of your iPad -- To protect against an accidental misplacement, require a passphrase which also encrypts data saved on the device. iPad's use hardware encryption by default which is enabled via the pass code. If an attacker compromises the pass code (or jailbreaks the device) they will get most data on the iPad. If they can't easily get pass your pass code, they can Jailbreak the device and brute-force the pass code. Then all your data is exposed. Enforce the use of complex pass codes. No, 1234 won't cut it. Use numbers, lower and upper case letters and symbols in your password. Preferably 10 digits in length and not easily guessable.

2. Enable auto wiping of device data -- Set the device to wipe data after 10 failed attempts to log in.

3. Make sure the operating system and applications are upgraded as soon as vulnerabilities are patched -- Not doing this will leave your device vulnerable to exploitation.

4. Establish a VPN connection when using Wi-Fi.

5. Manage the iPad with a Mobil Device Management (MDM) solution -- This will allow more control over how the device behaves. MDM will enable you to do things like whitelisting apps before they can run on the iPad.

6. Consider using your device as a terminal and not storing any data on it -- Store all the data on a secure server and remote in as needed.

Brett Kimmell is the manager of the risk management practice at SecureState.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brett Kimmell

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts