Apple iOS Bug Worse Than Advertised - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Apple iOS Bug Worse Than Advertised

Off-the-shelf sniffing tools can exploit the threat, but users of older iPhones and iPod Touches won't see a fix.

Slideshow: Verizon iPhone 4 Teardown
(click image for larger view)
Slideshow: Verizon iPhone 4 Teardown
Security experts have warned that a recently disclosed bug in Apple's iOS mobile operating system, patched by the vendor on Monday, is easier to exploit than it first appeared. In particular, attackers can now use a freely available tool to eavesdrop on an iOS device's data stream, without the user knowing.

As a result, "it is clearly critical that all users update as soon as possible, unless they only use their device for telephone calls," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

"This patch should be applied immediately if you log in to any service on your device, especially things like your bank or PayPal. Users are particularly vulnerable to this attack if they frequently use public/open Wi-Fi," he said.

According to Apple's related security advisory, released on Monday, "an attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS." With the fix, Apple said that "this issue is addressed through improved validation of X.509 certificate chains," referring to the public key infrastructure standard, which is used to verify a user's identity when using SSL, via digital certificates.

The bug was discovered by Gregor Kopf of Recurity Labs, while conducting research for the German Federal Office for Information Security (BSI), as well as Paul Kehrer, who's part of Trustwave's SpiderLabs.

On Tuesday, Kopf released more complete details about the bug, highlighting that the flaw arose from the failure of iOS to verify a digital certificate's "Basic Constraints," to verify digital certificate origin. That revelation led developer Moxie Marlinspike to update his free sslsniff tool with a fingerprint that allows it to detect vulnerable iOS clients to attack. Using the tool makes it quite easy to automatically intercept iOS SSL/TLS connections.

Marlinspike's updating of the tool is interesting, because the iOS vulnerability involves the same Basic Constraints bug that first led him to create the tool, nine years ago. "The vulnerability was that, back then, nobody really validated certificate chains correctly," he said on his website. "Webkit browsers, as well as the Microsoft CryptoAPI (and by extension Internet Explorer, Outlook, etc. ...), validated all the signatures in a certificate chain, but failed to check whether the intermediate certificates had a valid CA BasicConstraints extension set."

"In other words, if you bought a valid certificate for your website, what you got was the equivalent of a CA certificate. You could use it to create a valid signature for any other website, and--naturally--intercept SSL traffic," he said. Now, Apple appears to have fallen into the same trap, thanks to its use of WebKit, the open source browser engine that powers Safari.

To check if your iOS device is vulnerable, Recurity Labs created a website that tests for the vulnerability. According to a blog post from Kopf, "if the Safari browser on your iDevice allows you to visit this site without issuing a warning, your device is vulnerable." A patch can be applied via iTunes.

Unfortunately, users of older iOS devices are out of luck, as Apple's patch only works on relatively recent devices. "If you are using an iPod Touch generation one or two, or an iPhone older than the 3GS, you will be perpetually vulnerable," said Wisniewski. "Owners of these devices should not use them for any purpose for which security or privacy is required."

That the Apple iOS bug is worse than advertised isn't a stretch, given Apple's minimalist approach to describing, in its security bulletins, software bugs and the potential threats that might result. According to Andrew Storms, director of security operations for automated security and compliance provider nCircle, when it comes to major software vendors' bug warnings, Apple and Adobe tie for having the least useful security bulletins, in terms of users or IT managers being able to use them to deduce the actual threats posed by vulnerabilities in Apple or Adobe products.

Read our report on how to guard your systems from a SQL attack. Download the report now. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll