Unpatched iPhones/iPads secure connections not so secure


Yesterday I wrote about Apple’s latest fixes for iWork and iOS and encouraged folks to update. Now that more information is available it is clearly critical that all users update as soon as possible, unless they only use their device for telephone calls.

Moxie Marlinspike posted a message on his blog yesterday announcing an update to a tool called sslsniff. The sslsniff tool has been around for quite some time (nine years!) and allows users to easily perform man-in-the-middle attacks against SSL/TLS connections. The new version of sslsniff knows how to identify vulnerable Apple devices and allows anyone to snoop on secure communications.

iPhone with unlock iconWHAT? Yes, you read that correctly. The flaws in iOS 4.3.4, 4.2.9 and 5.0b3 and lower are a lot more serious than Apple’s description of their fix: “This issue is addressed through improved validation of X.509 certificate chains.”

Oddly the flaw in iOS was a widespread flaw in WebKit and Microsoft’s CryptoAPI nine years ago. It allows any valid certificate purchased from a Certificate Authority to sign any other certificate, which the client device will then consider valid.

This allows anyone who can capture traffic from your iPhone, iPad or iPod Touch with man-in-the-middle techniques to intercept and read any and all encrypted SSL traffic silently and without notification to the user.

This patch should be applied immediately if you log in to any service on your device, especially things like your bank or PayPal. Users are particularly vulnerable to this attack if they frequently use public/open WiFi.

The really bad news? If you are using an iPod Touch generation one or two, or an iPhone older than the 3GS, you will be perpetually vulnerable. Owners of these devices should not use them for any purpose for which security or privacy is required.