Unpatched iPhones/iPads secure connections not so secure

Filed Under: Apple, Data loss, Featured, iOS, Mobile, Privacy, Vulnerability

Yesterday I wrote about Apple's latest fixes for iWork and iOS and encouraged folks to update. Now that more information is available it is clearly critical that all users update as soon as possible, unless they only use their device for telephone calls.

Moxie Marlinspike posted a message on his blog yesterday announcing an update to a tool called sslsniff. The sslsniff tool has been around for quite some time (nine years!) and allows users to easily perform man-in-the-middle attacks against SSL/TLS connections. The new version of sslsniff knows how to identify vulnerable Apple devices and allows anyone to snoop on secure communications.

iPhone with unlock iconWHAT? Yes, you read that correctly. The flaws in iOS 4.3.4, 4.2.9 and 5.0b3 and lower are a lot more serious than Apple's description of their fix: "This issue is addressed through improved validation of X.509 certificate chains."

Oddly the flaw in iOS was a widespread flaw in WebKit and Microsoft's CryptoAPI nine years ago. It allows any valid certificate purchased from a Certificate Authority to sign any other certificate, which the client device will then consider valid.

This allows anyone who can capture traffic from your iPhone, iPad or iPod Touch with man-in-the-middle techniques to intercept and read any and all encrypted SSL traffic silently and without notification to the user.

This patch should be applied immediately if you log in to any service on your device, especially things like your bank or PayPal. Users are particularly vulnerable to this attack if they frequently use public/open WiFi.

The really bad news? If you are using an iPod Touch generation one or two, or an iPhone older than the 3GS, you will be perpetually vulnerable. Owners of these devices should not use them for any purpose for which security or privacy is required.

, , , , , , , , , , ,

You might like

4 Responses to Unpatched iPhones/iPads secure connections not so secure

  1. Peter Bance · 1499 days ago

    Thanks for writing this new article so quickly - I think all the main issues are well-covered now, although I believe there are techniques out there that could make it exploitable even on GPRS/3G IP networks.

    Anyway, glad to have played a part in getting this message out!

    • mambus · 1499 days ago

      So,,, How do I update my ipad2 to be safe?

      • Peter Bance · 1498 days ago

        I confess I don't know that much about the difference between the iPad and iPad 2, and whether they run different 'flavours' of iOS. I do note, though, that Apple hasn't differentiated between them in its release notes, so I'd assume you do the same as you would with any other iGadget - via iTunes on your non-mobile machine. If there isn't an update available, perhaps iPad 2 owners are lucky and not affected!

        I hope this helps...

  2. Lord Summerisle · 1499 days ago

    As an iPhone 2 user, this is incredibly annoying.

    I'm not the sort that absolutely, must, right now, immediately be seen with the very latest, bleeding edge devices. I just don't care enough about phones - I can't get excited by them.

    By the same token, I still need a quality handset that does what I need, and since 2008 my trusty iPhone has continued to fit that bill, year after year. I never had anything like a good reason to upgrade; nor could I really afford to. To now find I essentially cannot trust its SSL implementation, is a showstopper for me that will force me to cast aside a perfectly good, working phone in mint condition.

    While I don't expect iOS to be engineered to run on old hardware and be held back, I rather would hope Apple would take the large user base of 'old' iPhones seriously and issue a patched iOS release. Apple - we don't expect the latest and greatest software features implemented on old kit, but come on - security is a basic 'ask'.

    Sadly, and I can't believe I'm doing this, but I'm actually thinking of jumping ship to Android. And when iDroid becomes stable, I shall be flashing that onto my 'crusty', hideously old-fashioned and clearly socially unacceptable old iPhone. That way, a perfectly good handset doesn't go to waste.

    I wonder how many will ditch their old iDevices that would otherwise be OK to use, and what effect that will have on the environment? But for a little patch....

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.