Apple iOS Bug Worse Than Advertised - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile

Apple iOS Bug Worse Than Advertised

Off-the-shelf sniffing tools can exploit the threat, but users of older iPhones and iPod Touches won't see a fix.

Slideshow: Verizon iPhone 4 Teardown
(click image for larger view)
Slideshow: Verizon iPhone 4 Teardown
Security experts have warned that a recently disclosed bug in Apple's iOS mobile operating system, patched by the vendor on Monday, is easier to exploit than it first appeared. In particular, attackers can now use a freely available tool to eavesdrop on an iOS device's data stream, without the user knowing.

As a result, "it is clearly critical that all users update as soon as possible, unless they only use their device for telephone calls," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

"This patch should be applied immediately if you log in to any service on your device, especially things like your bank or PayPal. Users are particularly vulnerable to this attack if they frequently use public/open Wi-Fi," he said.

According to Apple's related security advisory, released on Monday, "an attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS." With the fix, Apple said that "this issue is addressed through improved validation of X.509 certificate chains," referring to the public key infrastructure standard, which is used to verify a user's identity when using SSL, via digital certificates.

The bug was discovered by Gregor Kopf of Recurity Labs, while conducting research for the German Federal Office for Information Security (BSI), as well as Paul Kehrer, who's part of Trustwave's SpiderLabs.

On Tuesday, Kopf released more complete details about the bug, highlighting that the flaw arose from the failure of iOS to verify a digital certificate's "Basic Constraints," to verify digital certificate origin. That revelation led developer Moxie Marlinspike to update his free sslsniff tool with a fingerprint that allows it to detect vulnerable iOS clients to attack. Using the tool makes it quite easy to automatically intercept iOS SSL/TLS connections.

Marlinspike's updating of the tool is interesting, because the iOS vulnerability involves the same Basic Constraints bug that first led him to create the tool, nine years ago. "The vulnerability was that, back then, nobody really validated certificate chains correctly," he said on his website. "Webkit browsers, as well as the Microsoft CryptoAPI (and by extension Internet Explorer, Outlook, etc. ...), validated all the signatures in a certificate chain, but failed to check whether the intermediate certificates had a valid CA BasicConstraints extension set."

"In other words, if you bought a valid certificate for your website, what you got was the equivalent of a CA certificate. You could use it to create a valid signature for any other website, and--naturally--intercept SSL traffic," he said. Now, Apple appears to have fallen into the same trap, thanks to its use of WebKit, the open source browser engine that powers Safari.

To check if your iOS device is vulnerable, Recurity Labs created a website that tests for the vulnerability. According to a blog post from Kopf, "if the Safari browser on your iDevice allows you to visit this site without issuing a warning, your device is vulnerable." A patch can be applied via iTunes.

Unfortunately, users of older iOS devices are out of luck, as Apple's patch only works on relatively recent devices. "If you are using an iPod Touch generation one or two, or an iPhone older than the 3GS, you will be perpetually vulnerable," said Wisniewski. "Owners of these devices should not use them for any purpose for which security or privacy is required."

That the Apple iOS bug is worse than advertised isn't a stretch, given Apple's minimalist approach to describing, in its security bulletins, software bugs and the potential threats that might result. According to Andrew Storms, director of security operations for automated security and compliance provider nCircle, when it comes to major software vendors' bug warnings, Apple and Adobe tie for having the least useful security bulletins, in terms of users or IT managers being able to use them to deduce the actual threats posed by vulnerabilities in Apple or Adobe products.

Read our report on how to guard your systems from a SQL attack. Download the report now. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
Reflections on Tech in 2019
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  12/9/2019
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll