Vincenzo Iozzo, an independent security consultant in Milan, Italy, targeted the BlackBerry at this year’s Pwn2own hacking competition: he and two teammates attacked through a security hole in the open-source code behind its Web browser. (RIM has since plugged the hole, which had already been patched on Apple and Android devices.) He says BlackBerry has benefited from “security through obscurity”: there are tools and documentation that help software developers—benign ones and bad guys alike—create programs and observe how they run on the iPhone or Android, but RIM has been less forthcoming. “From the outside world, [the BlackBerry] is more of a black box,” he says. That has worked to RIM’s advantage—Iozzo would still recommend BlackBerrys first, and iPhones second, for companies extremely concerned about attacks on individual employees’ phones. But he adds: “The BlackBerry is easier to exploit once you get to know it.”
Charlie Miller, principal research consultant at the security firm Accuvant Labs, agrees with that assessment. He notes that the iPhone and Microsoft’s Windows Phone 7, unlike the BlackBerry, employ standards called Address Space Layout Randomization and Data Execution Prevention. The first makes it harder for an intruder to find specific parts of the software code or data on a phone; the second keeps phones’ processors from running data provided by the attacker.
Eric Maiwald, an analyst for the technology research group Gartner, says companies should worry less about the security of any particular device and more about their overall strategies for dealing with a workforce that wants to connect personal phones to the corporate network. For example, does a company want to allow sensitive data to be stored on a phone itself, or should it stay in the data center, from which it can be accessed remotely?
Not having to worry about which particular devices to buy for employees frees Lars Crotwell, vice president for information technology at the oilfield services company Basic Energy Services, to focus more on the specific IT needs of the business. He says some features that earned BlackBerry favor among corporate customers, such as the ability to remotely wipe data from devices that are lost or stolen, are now available on competing phones. He believes RIM might still offer better overall security, but even if it does, he says the marginal utility of that extra security has declined in the last few years. That’s one reason why he now lets employees bring in their own smart phones. “Just because (BlackBerry) is more secure doesn’t mean the iPhone or Android can’t meet our needs. After a certain point, who cares?” Crotwell says. “It’s secure enough for our risk profile.”