Major Apple security flaw: Patch issued, users open to MITM attacks

Apple rushed the release of iOS 7.0.6 on Friday with a patch for a shockingly overlooked SSL encryption issue that leaves iPhone, iPad and Mac computer users open to a man-in-the-middle (MITM) attack.
Written by Violet Blue, Contributor
Image: CNET

Apple on Friday revealed a major SSL (Secure Socket Layer) vulnerability in its software that affects all devices, allowing hackers to intercept and alter communications such as email and login credentials for countless Apple hardware users.

A new version of Apple's iOS for its tablets and phones was rushed out the door Friday to patch the vulnerability, wherein its mobile, tablet and desktop software is not doing SSL/TLS hostname checking — communications meant to be encrypted, are not.

The patch has only been issued for the more recent iPhones (4 and later), iPod touch (5th generation) and iPad (2nd generation).

Security researchers across several communities believe that Mac computers are even more exposed, as they are currently left hanging without a patch.

Unfortunately, Apple has not released a statement on when to expect this patch, nor what version range of iPhone, iPad, iPod touch, or Mac computer is affected by the major, and somewhat shocking, flaw.

The vulnerability allows anyone with a certificate signed by a "trusted CA" to do a man-in-the-middle (MITM) attack.

A man-in-the-middle attack seamlessly intercepts communication — and more, like unencrypted passwords — between yourself and your intended recipient or website, and according to OWASP, "the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication."

A malicious entity could also impersonate a trusted website to install malware or steal valuable data, such as in September when Belgium's largest telecom provider Belgacom was hacked and exploited via fake LinkedIn and Slashdot pages.

iOS 7.0.6 and the new iOS 6.1.6 update "provide a fix for SSL connection verification."

The 7.0.6 update is for all devices that can run iOS 7, while the iOS 6.1.6 update is for the iPhone 3GS and fourth-generation iPod touch.

iOS 7.0.6
Data Security

Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

CVE-2014-1266 (About the security content of iOS 7.0.6)

It is a very serious issue, and users of Apple tablets and phones are urged to update ASAP.

It's unknown how far back in iOS generations the flaw goes.

Older devices , such as the original iPhone, the 3G, the earlier iPod touch and the first generation iPad are in all likelihood out of luck for attention to the encryption hole.

There is speculation that this vulnerability, coupled with automatic updates over SSL, may have been one of the ways that the NSA could access "any iOS device" — a claim made in leaked Snowden-NSA documents, one that Apple vehemently denied.

Update 2/22: Adam Langley has excellent, further analysis in Apple's SSL/TLS bug (22 Feb 2014, imperialviolet.org).

ZDNet has reached out to Apple for comment and will update this post if it responds.

Editorial standards