Apple patches iPhone, iPad interception flaw

Encrypted transactions on iPhones, iPads, and iPod touch devices can be intercepted in a way that renders the encryption useless, according to security researcher Moxie Marlinspike

Apple has pushed out a fix for a flaw in iOS that could let an outside attacker get around encryption to grab data sent via iPhones and iPads.

Apple iPhone 4

Apple has patched a flaw in iOS that could allow an attacker to get around encryption and grab data sent via iPhones and iPads. Photo credit: James Martin/CNET News

The vulnerability in iOS was reported to Apple by Gregor Kopf of Recurity Labs on behalf of BSI, and Paul Kehrer of Trustwave's SpiderLabs. Their research built on work by Moxie Marlinspike, who first divulged the certificate-spoofing flaw in 2002, saying that the hole rendered Secure Sockets Layer (SSL) encryption in Internet Explorer ineffectual.

On Monday, Marlinspike said he had updated his proof-of-concept Sslsniff tool for the flaw for iOS. The problem means that encrypted communications on iPhone 3GS and 4, iPads and iPod touch devices are vulnerable to interception, according to the security researcher.

"Since this is the anniversary of the bug that prompted the release of Sslsniff to begin with, I've updated it to add iOS fingerprinting support," Marlinspike said in a blog post.

iOS data traffic encrypted with SSL, which is used to protect online banking transactions among other traffic, can be intercepted and captured using the sniffing tool, Marlinspike said.

The flaw allows attackers to issue spoof certificates to validate any domain, as long as they possess a valid certificate signed by a certificate authority. With this, they can launch man-in-the-middle attacks, in which the eavesdropper sits in the middle of a transaction, monitoring traffic.

Sslsniff gets round SSL encryption by dynamically generating certificates for domains that the user is accessing, without triggering alerts. For example, a user can visit and halfway through an encrypted session, an attacker can switch the victim to a phishing site, without the victim's knowledge.

Apple issued a patch for iOS on Monday to address the certificate chain validation issue at the centre of the problem. People wishing to avoid the vulnerability exploited by Sslsniff should upgrade to iOS 4.3.5.

"An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS," said Apple in a security advisory.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.