how can an iPhone be so hard to hack when entire banking systems and other massive companies can be successfully targeted?



how can an iPhone be so hard to hack when entire banking systems and other massive companies can be successfully targeted?

In: Technology

Big companies have many separate systems, many of which have to talk to each other, which means many potential vulnerabilities (often the employees themselves) and you just need one. Compare that to a single hardware device with strong encryption that has a single owner/user.

Apple is a monoculture. That means that only specific, Apple-targeting, techniques work.

It’s not true that “entire banking systems” have been hacked. Some companies have had some disclosure problems, where their transaction records leaked out, but it’s not like hackers just transferred all the money out of their bank accounts. That mostly happens in movies. That said, there are many companies with many software systems. Hackers don’t care if the take money from Target or Walmart, so they can attack all the companies and just see where they get lucky. Attacking Apple is harder, because there is only the one Apple.

There are a number of reasons:
– many of these banks and institutions don’t spend enough on securing their data networks, they often have lots of old software running that is vulnerable to attack. Modern phones by comparison were designed recently with security built in from day 1
– For the ones which haven’t left the barn door open, by having internet connected Win98 machines sitting in bedroom closets, they also have lots of ill trained staff, who are susceptible to social engineering… That’s how Sony got hacked…
– there is a huge difference in scale between securing a phone and securing a bank – kinda like comparing a home security system to border security… Big organisations have lots of points of contact (ATMs/PoS terminals, employee laptops/phones, websites etc)
– the value of breaking into a big company or bank is much greater, so attackers will spend more (time/money/effort) to get in

Banks have a much, MUCH larger attack surface than an iPhone. And a whole lot more of the weakest point in any system: the humans who need to access it. There’s an old adage in cybersecurity: What’s the easiest way to get an employee’s password? You ask them for it. You’d be shocked how many hacks are pulled that way. Kevin Mitnick got famous doing just that. With any large organization you’re pretty much guaranteed to have someone gullible enough to just give you their password, especially if you create an employee ID for some bogus IT support company.

Apple put a lot of work into making iPhones secure. Big banks didn’t. You might think big banks are secure, but that’s just because nobody knows their weak points, and anyone who finds one goes to jail in a hurry. Plus, if you steal money by hacking a bank, they’ll just undo it, so why bother?

Apple tries to make it so iPhones don’t even *have* weak points to begin with.

Organisations have human beings in them. They are dumb and can be manipulated into clicking and opening things they should not, and leaders make risky security decisions to save money.

Cost / benefit.

iphone isn’t hard to hack, it’s just that the benefit is smaller since less people use it. So when the hacker is trying to decide on a target, iphone gets left off easier. If iphone ever became popular enough, it would get hacked a lot more often.

Tee iphone’s base architecture is very very secure. To put it simply, if Apple does not sign your code, the hardware won’t run it.

Now this is an extreme simplification, there are ways to force an IPhone to run your code by injecting it into memory leaks, but that’s a long, complicated path. In most cases you can just be sure that only code that Apple wants to run, will run,

Windows and linux do not have this privilege or burden. Developers can just write code, and it will run. This is vital for a company as they write their own software to operate their company. They can’t wait for weeks to have a 3rd party sign all their code.

So as any code that you want runs, anyone can write malware and figure out how to get it on the device. This opens up tons of routs to attacks.

If you want to know more about code signing, that’s a separate question.

comparing to banks iphones are actually very easy to hack
it is just not worth the effort to hack them given they do not contain millions worth of cash

In games, your protection against attack is usually represented by a single number. You have an armor rating; maybe it’s 1 if you’re wearing ordinary clothing, but 3 if you’re wearing leather armor, and 10 if you’re wearing a plated spacesuit. If you put on a helmet, it improves your armor rating by 2; and that applies even to blows that would hit you in the belly instead of the head.

In the real world, protection against attacks doesn’t work like that. Putting a helmet on protects your head, but does nothing to protect you against getting clubbed in the belly. Armor protects what it covers; it doesn’t grant you a static percentage chance to deflect any attack.

Computer protections are like that, only more so. If a server does not receive email, then it cannot be attacked via email. If it is only exposed to web requests through a reverse-proxy, then only those requests the reverse-proxy accepts can possibly attack it.

The most vulnerable systems are those that have to communicate with a large number of other systems, including business partners, consumers, governments, etc.