Mobile
News
7/27/2011
01:11 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Apple iOS Bug Worse Than Advertised

Off-the-shelf sniffing tools can exploit the threat, but users of older iPhones and iPod Touches won't see a fix.

Slideshow: Verizon iPhone 4 Teardown
(click image for larger view)
Slideshow: Verizon iPhone 4 Teardown
Security experts have warned that a recently disclosed bug in Apple's iOS mobile operating system, patched by the vendor on Monday, is easier to exploit than it first appeared. In particular, attackers can now use a freely available tool to eavesdrop on an iOS device's data stream, without the user knowing.

As a result, "it is clearly critical that all users update as soon as possible, unless they only use their device for telephone calls," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

"This patch should be applied immediately if you log in to any service on your device, especially things like your bank or PayPal. Users are particularly vulnerable to this attack if they frequently use public/open Wi-Fi," he said.

According to Apple's related security advisory, released on Monday, "an attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS." With the fix, Apple said that "this issue is addressed through improved validation of X.509 certificate chains," referring to the public key infrastructure standard, which is used to verify a user's identity when using SSL, via digital certificates.

The bug was discovered by Gregor Kopf of Recurity Labs, while conducting research for the German Federal Office for Information Security (BSI), as well as Paul Kehrer, who's part of Trustwave's SpiderLabs.

On Tuesday, Kopf released more complete details about the bug, highlighting that the flaw arose from the failure of iOS to verify a digital certificate's "Basic Constraints," to verify digital certificate origin. That revelation led developer Moxie Marlinspike to update his free sslsniff tool with a fingerprint that allows it to detect vulnerable iOS clients to attack. Using the tool makes it quite easy to automatically intercept iOS SSL/TLS connections.

Marlinspike's updating of the tool is interesting, because the iOS vulnerability involves the same Basic Constraints bug that first led him to create the tool, nine years ago. "The vulnerability was that, back then, nobody really validated certificate chains correctly," he said on his website. "Webkit browsers, as well as the Microsoft CryptoAPI (and by extension Internet Explorer, Outlook, etc. ...), validated all the signatures in a certificate chain, but failed to check whether the intermediate certificates had a valid CA BasicConstraints extension set."

"In other words, if you bought a valid certificate for your website, what you got was the equivalent of a CA certificate. You could use it to create a valid signature for any other website, and--naturally--intercept SSL traffic," he said. Now, Apple appears to have fallen into the same trap, thanks to its use of WebKit, the open source browser engine that powers Safari.

To check if your iOS device is vulnerable, Recurity Labs created a website that tests for the vulnerability. According to a blog post from Kopf, "if the Safari browser on your iDevice allows you to visit this site without issuing a warning, your device is vulnerable." A patch can be applied via iTunes.

Unfortunately, users of older iOS devices are out of luck, as Apple's patch only works on relatively recent devices. "If you are using an iPod Touch generation one or two, or an iPhone older than the 3GS, you will be perpetually vulnerable," said Wisniewski. "Owners of these devices should not use them for any purpose for which security or privacy is required."

That the Apple iOS bug is worse than advertised isn't a stretch, given Apple's minimalist approach to describing, in its security bulletins, software bugs and the potential threats that might result. According to Andrew Storms, director of security operations for automated security and compliance provider nCircle, when it comes to major software vendors' bug warnings, Apple and Adobe tie for having the least useful security bulletins, in terms of users or IT managers being able to use them to deduce the actual threats posed by vulnerabilities in Apple or Adobe products.

Read our report on how to guard your systems from a SQL attack. Download the report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government, May 2014
NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work?
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.