Apple pushes out iOS 8.1 – kills the mobile POODLE and closes some, ahem, “backdoors”

Hot on the heels of Apple’s OS X Security Update 2014-005 comes iOS 8.1.

It’s only just over a month since iOS 8 came out.

We almost immediately received iOS 8.0.1 to fix some bugs, and 8.0.2 a couple of days after that.

But neither of those versions was listed by Apple as a security update.

iOS 8.1, on the other hand, is all about security: cryptographic security, as it turns out.

iOS 8.1 kills POODLE

The marquee vulnerability fixed in iOS 8.1 is, as you might expect, POODLE.

That’s the security downgrade bug that could allow a crook to trick your browser into using an old and crackable cryptographic protocol when it makes a secure connection.

That gives the crook a fighting chance of extracting a small amount of confidential data from the session, which could include critical security information such as authentication cookies.

POODLE teaches us an important lesson about cryptography: backwards compatibility with outdated protocols is a bad idea, because it forces us to live with the risks of the past.

But there are other cryptographic fixes in iOS 8.1 that are equally important, and just as informative about the intricacies of cryptography.

Unencrypted Bluetooth pairing

The first fix in Apple’s list is a patch to the Bluetooth stack.

It seems that in iOS 8, unencrypted Bluetooth connections were accepted if they came from HIDs, or Human Interface Devices.

Your iPhone already has a keyboard (the on-screen one) accessible to anyone with physical access to an unlocked device, so allowing unencrypted connections from add-on HIDs sounds as though it should be low risk.

But an unencrypted connection means that there is no shared secret between that device and your iPhone, and thus no way to authenticate the device when it connects.

So, other devices could pretend to be an already-paired-up HID, and thus pair automatically with your iPhone, even though your device had never seen them before.

Bluetooth pairing is not supposed to be possible without your approval, for obvious security reasons, so this bug was fixed.

The solution was simple: don’t allow unencrypted HID connections.

By the way, that echoes a principle you will hear us espousing in our Chet Chat podcasts on a regular basis: if you always use encryption, you never have to worry about the places where you haven’t used encryption!

House Arrest repaired

Additionally, iOS 8.1 includes a fix labelled House Arrest by Apple.

At first glance, you might be excused for assuming that this is a fancy new vulnerability named in the style of Shellshock or Heartbleed.

In fact, it’s the name of the internal component that Apple just fixed.

The bug is an intriguing one, documented in the middle of 2014 by security researcher Jonathan Zdziarski.

Very greatly simplified, iDevices have a low-level service called com.​apple.​mobile.​house_arrest, apparently used by iTunes to push and pull data files to and from third party applications.

This sounds a bit like a backdoor – giving iTunes a special interface to access your device in a way that you can’t do yourself.

But as long as the files moved around this way are encrypted with a password known only to you, and not to iTunes, data can’t actually leak.

Except, as Apple now puts it, “[f]iles could be transferred to an app’s Documents directory and encrypted with a key protected only by the hardware UID.”

The hardware UID is generated by iOS when you setup your device, rather like the IMEI on a regular mobile phone, so it isn’t a password provided by you, or a secret known only to you.

In other words, someone who gets hold of your phone could use the iTunes “backdoor” to read the content of files that you might reasonably expect to be stored securely.

Apple’s solution was, again, a simple but effective one: use encryption keys derived both from the hardware UID and from your own passcode for encryption.

The bottom line

Firstly, cryptography is harder than it looks.

Secondly, if you are an iOS user, get this update, because it will definitely boost your security.