Users of Apple products often cite “no security worries” as one of their top reasons for choosing a Mac or an iOS mobile device. IT security folks know better; no operating system is invulnerable, and Apple is in the news again over a major security flaw that hackers can exploit to access messages that are supposed to be encrypted.
Due to the way iOS and OS X handle SSL and TSL sessions, attackers can intercept wireless transmissions sent to or from web mail sites or social networking sites, even though these are intended to be secured by HTTPS, when on the same wired or wireless network. The software doesn’t validate the authenticity of the connection, so a hacker is able to impersonate the web site and capture the data that’s sent to the site, including email or even financial transactions. This is categorized as a “man in the middle” (MITM) attack. Not only can the attacker read your information, but can also modify the data. That means exploits could be sent to your system this way, allowing the hacker to take control of it.
And it might not be just web-based exchanges that are at risk. At least one researcher says the vulnerability exists in other iOS apps including Facetime, Twitter, the Mail app and others that use SSL and TLS.
If you’re using iOS, the good news is that Apple has released patches for the iPhone 4 and above, the iPad 2 and above, and the 5th generation iPod Touch. The bad news is that as of this writing, they haven’t yet released a patch for Mac OS X, but are expected to do so. Meanwhile, some security experts are recommending that Mac users avoid using Safari since Firefox and Chrome don’t appear to be affected by the vulnerability. Note that iOS 7.1 beta 5 (expected to be out in March) has also been found to contain the same vulnerability.
The troubling news is that the vulnerability has existed for several months, and iOS and OS X users have no way of knowing whether they might have been the victim of exploits during all that time.
Some have speculated that the vulnerability was intentionally planted by the NSA, either with or without Apple’s cooperation, due to the timing and the effectiveness with which it can be used to eavesdrop on communications. Many experts who have analyzed the vulnerability disagree, saying it’s an easy-to-make coding mistake, and Apple had already repeatedly denied working with the NSA to put “back doors” in any of their software, while also admitting to a gag order that prevents the company from talking about what it does do in cooperation with the NSA.
You can find information about the iOS/iPad/iPod update on Apple’s support web site. The patch is identified as iOS 7.0.6 and the CV ID is CVE-2014-1266. It’s important for iOS users to update their devices as soon as possible, and for Mac users to update as soon as Apple releases a fix. Meanwhile, avoid connecting to networks such as public wi-fi networks over which an attacker could exploit the vulnerability. If you have unpatched iOS devices or OS X laptops, set their network settings so that they will not join untrusted networks.