Keep an eye on your iPhone

Astute Sophos followers will remember that last year I hijacked the SophosLabs blog to bring news of the Apple WWDC 2008.

Well this year, sat in the Moscone West digesting the content of Phil Schiller’s keynote presentation and updating my plan of attack for the rest of the week, I’ve moved to the virtual next door to borrow a cup of sugar from my Clu-ful namesake and to let you know about this year’s Apple developer conference.

From the perspective of someone trying to keep Apple users and their data secure, the announcement that the fruit company’s new iPhone will include hardware encryption of the phone’s content is an exciting one.

We don’t yet know what form this encryption takes but it’s good news for companies interested in deploying iPhones. It could reduce concerns that phones lost out in the wide world would mean company secrets making it out to the public or competitors.

The journey from Chez Sophos in Oxfordshire to San Francisco takes the best part of a day, so I had time to try a little iPhone security experiment of my own.

iPhone PINI stood on the plane, a few meters down the aisle from a couple of fellow Mac developers (in coach, you’ll be pleased to hear no £50 notes were harmed in writing this blog post). I turned my back on them and unlocked my iPhone.

Then, I asked them both what my PIN was. Both of my colleagues were able to tell me.

Of course this is hardly the most scientific test, but the outcome is still astounding.

It’s very simple to grab someone’s iPhone PIN from a distance away without arousing their suspicion. The brightly-coloured, large virtual keypad, great for typing in phone numbers easily, works against the user in this case by making “shoulder-surfing” a breeze.

So while you’re out and about, shield your iPhone PIN as you enter it and check who’s standing over your shoulder. And of course, never use the same PIN for a bank account or other service.

If you’re reading this from the conference and want to comment or talk security in general, please feel free to come and say hi, or follow me on Twitter.

Oh, and I have changed my iPhone PIN :-P.