On Friday, February 21st, Apple released security updates affecting the iPhone 3GS through the 5s, the iPad 2 and later, the 4th and 5th generation iPod touch and the 2nd generation Apple TV. The specific version updates available for various devices are as follows:
- iOS 7.0.6 – iPhone 4 and later, iPod touch (5th generation), iPad 2 and later
- iOS 6.1.6 – iPhone 3GS, iPod touch (4th generation)
- Apple TV 6.0.2 – Apple TV 2nd generation and later
To characterize the patched vulnerability using Apple’s words, “An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.” ZDNet and others report that iOS was not doing SSL/TLS hostname checking prior to Friday’s update. This is a very serious flaw.
For those that aren’t aware, SSL/TLS hostname checking is one part of an imperfect system meant to keep our encrypted communications secure. Whenever you visit a secure web site using the HTTPS prefix, your computer is supposed to compare the site name you entered with the digital certificate that the site uses in order to initiate an encrypted session. If the two don’t match, you’re presented with a fairly ominous warning. While it’s still possible for a skilled person or an organization to create a man-in-the-middle attack to eavesdrop on your encrypted traffic, at least they’d need to dupe or coerce a Certificate Authority into giving them a digital certificate containing the name of the site they wished to impersonate.
But without SSL/TLS hostname checking, literally anyone in a “privileged network position” on a network segment between your iOS device and the rest of the Internet can pretend to be Bank of America, Amazon, Google or anyone else. While it’s not alleged that the Safari web browser contained this vulnerability, everything else that your iPhone does could be susceptible to it. For instance, your iPhone’s native Mail app wouldn’t distinguish the difference between Google’s legitimate Gmail servers and a server that anyone built using a common Linux distro and the openssl req command. Such an oversight causes security professionals everywhere to collectively gasp.
Before the rest of us panic, however, it’s important to realize that any widespread exploitation of this vulnerability would likely have already been discovered. Very few network segments are limited to only iOS and Mac clients. While unpatched iOS devices might be willing to blindly connect to imposter servers, we hope that the Android, Linux and Windows clients would be throwing up flags indicating the deception. People would be talking about it.
All of this is to say that while you’re probably fine for now, there’s no time like the present to update your iOS devices. It’s as easy as navigating to Settings > General > Software Update, and clicking on ‘Download and Install.’ Reports indicate that Mac OS 10.9.1 is vulnerable as well, so you’ll want to keep an eye out for a Mac OS update in the days ahead.