Apple iOS Bug Worse Than Advertised

Off-the-shelf sniffing tools can exploit the threat, but users of

Mathew J. Schwartz, Contributor

July 27, 2011

4 Min Read

Slideshow: Verizon iPhone 4 Teardown

Slideshow: Verizon iPhone 4 Teardown

(click image for larger view)
Slideshow: Verizon iPhone 4 Teardown

Security experts have warned that a recently disclosed bug in Apple's iOS mobile operating system, patched by the vendor on Monday, is easier to exploit than it first appeared. In particular, attackers can now use a freely available tool to eavesdrop on an iOS device's data stream, without the user knowing.

As a result, "it is clearly critical that all users update as soon as possible, unless they only use their device for telephone calls," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

"This patch should be applied immediately if you log in to any service on your device, especially things like your bank or PayPal. Users are particularly vulnerable to this attack if they frequently use public/open Wi-Fi," he said.

According to Apple's related security advisory, released on Monday, "an attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS." With the fix, Apple said that "this issue is addressed through improved validation of X.509 certificate chains," referring to the public key infrastructure standard, which is used to verify a user's identity when using SSL, via digital certificates.

The bug was discovered by Gregor Kopf of Recurity Labs, while conducting research for the German Federal Office for Information Security (BSI), as well as Paul Kehrer, who's part of Trustwave's SpiderLabs.

On Tuesday, Kopf released more complete details about the bug, highlighting that the flaw arose from the failure of iOS to verify a digital certificate's "Basic Constraints," to verify digital certificate origin. That revelation led developer Moxie Marlinspike to update his free sslsniff tool with a fingerprint that allows it to detect vulnerable iOS clients to attack. Using the tool makes it quite easy to automatically intercept iOS SSL/TLS connections.

Marlinspike's updating of the tool is interesting, because the iOS vulnerability involves the same Basic Constraints bug that first led him to create the tool, nine years ago. "The vulnerability was that, back then, nobody really validated certificate chains correctly," he said on his website. "Webkit browsers, as well as the Microsoft CryptoAPI (and by extension Internet Explorer, Outlook, etc. ...), validated all the signatures in a certificate chain, but failed to check whether the intermediate certificates had a valid CA BasicConstraints extension set."

"In other words, if you bought a valid certificate for your website, what you got was the equivalent of a CA certificate. You could use it to create a valid signature for any other website, and--naturally--intercept SSL traffic," he said. Now, Apple appears to have fallen into the same trap, thanks to its use of WebKit, the open source browser engine that powers Safari.

To check if your iOS device is vulnerable, Recurity Labs created a website that tests for the vulnerability. According to a blog post from Kopf, "if the Safari browser on your iDevice allows you to visit this site without issuing a warning, your device is vulnerable." A patch can be applied via iTunes.

Unfortunately, users of older iOS devices are out of luck, as Apple's patch only works on relatively recent devices. "If you are using an iPod Touch generation one or two, or an iPhone older than the 3GS, you will be perpetually vulnerable," said Wisniewski. "Owners of these devices should not use them for any purpose for which security or privacy is required."

That the Apple iOS bug is worse than advertised isn't a stretch, given Apple's minimalist approach to describing, in its security bulletins, software bugs and the potential threats that might result. According to Andrew Storms, director of security operations for automated security and compliance provider nCircle, when it comes to major software vendors' bug warnings, Apple and Adobe tie for having the least useful security bulletins, in terms of users or IT managers being able to use them to deduce the actual threats posed by vulnerabilities in Apple or Adobe products.

Read our report on how to guard your systems from a SQL attack. Download the report now. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights