Would iOS getting FIPS approved before BB10 is Available be another huge blow to RIM?
- So I was looking at the in process list for FIPS approval today:
http://csrc.nist.gov/groups/STM/cmvp...0InProcess.pdf
and noticed that Apple has finally gotten iOS out of IUT state, which it has been in since they tried to get it approved probably 3 years ago, and into the "Review Pending" state. They actually have two iOS kernels in pending, my guess is a 5.X and 6.X version. I'm pretty sure that this means we will see iOS FIPS approved by October, November at the latest, based on my experience with the FIPS process.
So what do you think this would mean for RIM if iOS is FIPS approved before BB10 is even available? Personally I think you will see the floodgates at the US Federal Government open up for iOS devices, and would probably start the rapid demise of BES installs at Federal agencies and possible even BYOD iPhones into the Federal space. Blackberry phones being FIPS approved and iOS not being FIPS approved has been about the only thing keeping iOS and Android from making serious in-roads in the US Federal Government. RIM better get its Federal sales force out in droves showing off BB10 before release IMHO.08-15-12 08:08 PMLike 0 - I'm not too sure we would see a mass exodus to Apple once iOS gets the certification. Remember, the BYOD model isn't exactly the optimal one to use in certain agencies since they can't control an employee's entire device. Also keep in mind that several federal agencies and military divisions prohibit cameras and recording capabilities on their employees' phones, which is why RIM still makes handhelds without cameras in them.
Either way, the federal government (at least in the US) is slow to adopt anything so if it does make an impact, I'm sure BB10 will be close to launching or already released by the time they decide to do anything.08-15-12 09:03 PMLike 0 - Tre LawrenceBetween RealitiesYes, it does hurt. I don't see a mass exodus either, but RIM does not need its Enterprise customers tempted. Even a little.
Mobile post via Tapatalk08-15-12 09:11 PMLike 0 - Tre LawrenceBetween RealitiesI should add some specific Android tablets and phones have been FIPS certified for a while.
Mobile post via Tapatalk08-15-12 09:12 PMLike 0 -
- Sith_ApprenticeMod Team EmeritusNSA is working on secure Android but it is a very long and very expensive process. IOS getting FIPS doesn't necessarily get it approved for government use, FIPS is just supposed to be the baseline. BB10 is based off of the PlayBook OS, which is already FIPS validated 140-2, and I suspect BB10 will ride that and get its approval very quickly.00stryder likes this.08-16-12 04:54 AMLike 1
- Sith_ApprenticeMod Team EmeritusNSA is working on secure Android but it is a very long and very expensive process. IOS getting FIPS doesn't necessarily get it approved for government use, FIPS is just supposed to be the baseline. BB10 is based off of the PlayBook OS, which is already FIPS validated 140-2, and I suspect BB10 will ride that and get its approval very quickly.08-16-12 04:56 AMLike 0
- Superfly_FRRetired ModeratorThe point is "what changes iOs 6.x can state to gain FIPS" ?
I'm not familiar with this kind of certification, but usually, long time frames for certification means "oh wait, we know we're not really ready yet, so hold the process, we don't want to be rejected".
"Review pending" means to me that they feel they can give a try, not that they're 100% compliant ... so let's wait until they get a FIPS stamp, and then let's look at its level ...
In security environment, newcomers are only granted as "capable", not "bullet proof". Having the certification is mandatory, yes, but not sufficient as-is.
In a marketing perspective, APPL getting this cert., will result in an implicit validation of RIM superiority ... years before the first ixxx even hit the street. This must be fine-tuned in communication but can also turn as an advantage.madman0141 likes this.08-16-12 05:19 AMLike 1 - iOS6 brought device level device key encryption I thought, which wasn't available previously which could be one step to gaining FIPS
I don't think that just the devices getting FIPS will change a whole lot, how do they get managed? what management software with iOS gives even fractional control that BlackBerry with BES gives?
iOS with no App Store, no iCloud, no Siri, since all 3 can't gain security clearance, how useful will the devices be in comparison to the BlackBerry devices?
BB10 wont be far off FIPS approval once it receives carrier approval, RIM's been building from the ground up with that in mind, it isn't an afterthought like iOS.08-16-12 06:13 AMLike 4 - Sith_ApprenticeMod Team EmeritusJust so you are aware, RIM released this on the BizBlog last month. The PlayBook, running OS 2 is already FIPS 140-2 validated. (BlackBerry PlayBook OS 2.0 and BlackBerry Device Service Receive FIPS 140-2 Certification �Inside BlackBerry for Business Blog)
Also, since we are talking the NIST process, NIST.gov - Computer Security Division - Computer Security Resource Center
is the link to the steps for the validation. In Review means they have finally submitted proper paperwork for validation, they still have to go through the testing etc.
And of courseOriginally Posted by NISTDISCLAIMER: The Cryptographic Module Validation Program (CMVP) FIPS 140-1 and FIPS 140-2 Modules In Process List is provided for information purposes only. Participation on the list is voluntary and is a joint decision by the vendor and Cryptographic Security and Testing (CST) laboratory. Modules are listed alphabetically by name. Blank entries indicate modules in process but joint decision made not to post. Posting on the list does not imply guarantee of final FIPS 140-1 or FIPS 140-2 validation.Last edited by Sith_Apprentice; 08-16-12 at 06:32 AM.
08-16-12 06:28 AMLike 3 - "Review pending" means to me that they feel they can give a try, not that they're 100% compliant ... so let's wait until they get a FIPS stamp, and then let's look at its level ...
In security environment, newcomers are only granted as "capable", not "bullet proof". Having the certification is mandatory, yes, but not sufficient as-is.
Blackberry has another Tablet Crypto Kernel in now too, which if I had to guess will be the BB10 kernel, and RIM has cleverly worded the policies to be generic enough where any devices running and ARM processor, the right OS, and Crypto Kernel is FIPS approved.Last edited by lnichols; 08-16-12 at 09:00 AM.
08-16-12 08:56 AMLike 0 - Sith_ApprenticeMod Team EmeritusRIM actually does this for each major revision of the OS, but with BB10 the crypto kernel can be something different. It doesnt have to be revalidated with each OS (as in BB OS for each major revision (4/5/6/7/etc), but can instead be validated once and the OS pieces around it can change, leaving the crypto kernel the same.08-16-12 09:05 AMLike 0
- BrantaRetired Network ModThis thread prompted me to look closer at Apple security, and the announcements reported last year from Black Hat.
Apple has built encryption based on the 256-bit Advanced Encryption standard and the Secure Hash Algorithm into its processors. De Atley said neither Apple nor the manufacturers know the unique identifier, a safeguard he says makes sure the user has maximum protection. Apple maintains a global key as a top control point.
Basically, as is already known, apps from the Apple App Store will not run on users' iOS devices unless they're signed by Apple. Third-party developers can be issued a public-key certificate from Apple to make apps that run on Apple iOS. To build enterprise apps, developers can enroll in the iOS Developer Enterprise program. Each will find they receive an "Enterprise Provisioning profile" that is installed on devices they use. This provisioning profile expires annually, said De Atley.
The end result keeps Apple firmly in control over what's going on in apps running on its devices, a fact that enterprises may find beneficial or not.08-16-12 02:38 PMLike 0 - ...Snip... So, it sounds like a move to crypto signed modules and verification before the software will load. That could bring the end of jailbreaking, but more worrying is the mention of limited validity for enterprise signing keys. As a manager and owner it is MY phone, MY application, and I demand I will approve business apps, and what devices are allowed to use them. Apple seems to be going back to the bad old ways of revenue generation
Is the iPhone 4S currently FIPS 140-2 compliant? Probably yes, according to Jonathan Zdziarski. Would you want to store confidential data on an iPhone? Look at the kinds of iOS exploits currently being taught in seminars:• How to manipulate the runtime of applications on a target device to assist in law enforcement investigations involving loss-of-life or national security, when all other forensic techniques fail.
• Work with classroom examples of malware to see how an attacker can transparently infect and steal application data, surveil user activity, and access encrypted documents in the background of a device while being used by an unsuspecting user.
• Identify common vulnerabilities in real-world applications and how attackers can take advantage of these through a number of attack techniques to break through security, hijack sessions, and steal user data.
• Manipulate the runtime environment of running applications to access data, bypass program logic and override many security mechanisms.
• Techniques attackers use to infect applications with malware through code injection.
• Discover how attackers defeat iOS keychain, file system, and data-protection encryption to steal encryption keys, passwords, and infect a device without necessarily breaking the passphrase.
• Attack processes to inject code and manipulate the runtime environment of Objective-C application, in many cases without detection.
• Redirect networking traffic and intercept SSL encrypted traffic.Last edited by hornlovah; 08-16-12 at 06:53 PM. Reason: To add link. DOH! ;)
08-16-12 06:47 PMLike 0 - Sith_ApprenticeMod Team Emeritus
Each crypto kernal must be approved, if it is has changed then Apple would be starting the process over. Now they could easily apply directly for FIPS 140-2 (which you are likely correct on) but they have not yet been able to obtain that. FIPS only validates the Crypto kernel, from my understanding, and this would not necessarily protect the rest of the OS from exploit. Keep in mind DingleBerry was able to root the Playbook even though it was FIPS 140 compliant.Last edited by Sith_Apprentice; 08-17-12 at 07:05 AM.
08-17-12 06:40 AMLike 0 - Sith_ApprenticeMod Team EmeritusNo end to jailbreaking because jailbreaks use a combination of processor and kernel exploits. Jailbreak teams already possess plenty of kernel exploits, and all beta versions of iOS 6 have already been compromised. IMHO, cracking the new processor is a when, not an if.
Is the iPhone 4S currently FIPS 140-2 compliant? Probably yes, according to Jonathan Zdziarski. Would you want to store confidential data on an iPhone? Look at the kinds of iOS exploits currently being taught in seminars:
Hacking and Securing iOS Applications L-1 - Eventbrite
iOS (any) version is not FIPS 140-2 certified at this time.08-17-12 07:04 AMLike 0 - BrantaRetired Network ModSith_Apprentice likes this.08-17-12 07:21 AMLike 1
- Sith_ApprenticeMod Team Emeritus
Very possible. Apple received their validation in March of this year for MAC OS X 10.7, so they have changed their stance on it (they came into DoD and said no, we arent changing anything for you guys, take it or leave it lol)08-17-12 08:05 AMLike 0 - I did not claim that any version of iOS was certified, I just noted that in one expert's opinion, maybe The Expert on iOS security, the latest devices were "probably compliant." My second point is that while FIPS certification is very important, Apple has some work to do before they actually deliver the kind of mobile security that some organizations and individuals need.08-17-12 09:36 AMLike 0
- No end to jailbreaking because jailbreaks use a combination of processor and kernel exploits. Jailbreak teams already possess plenty of kernel exploits, and all beta versions of iOS 6 have already been compromised. IMHO, cracking the new processor is a when, not an if.
Is the iPhone 4S currently FIPS 140-2 compliant? Probably yes, according to Jonathan Zdziarski. Would you want to store confidential data on an iPhone? Look at the kinds of iOS exploits currently being taught in seminars:
Hacking and Securing iOS Applications L-1 - Eventbrite08-17-12 01:01 PMLike 0
- Forum
- Popular at CrackBerry
- General BlackBerry News, Discussion & Rumors
Would iOS getting FIPS approved before BB10 is Available be another huge blow to RIM?
LINK TO POST COPIED TO CLIPBOARD