Apple patches long-standing iPhone bug that left data vulnerable for years
On February 21st, Apple released iOS 7.0.6 with, simply described as “a fix for SSL connection verification.” The story actually goes deeper than that, giving way to darker and more terrifying implications.
The recently released iOS 7.0.6, iOS 6.1.6, and OS X Mavericks 10.9.2 updates fixed a major security flaw that has existed on the iPhone since the introduction of iOS 6 in 2012. The flaw left iOS devices open to “man-in-the-middle” hacker attacks when using devices on unsecured networks.
The issue relates to how iOS7 validates SSL certificates. SSL certification is a security mechanism designed to verify the identity of whatever you’re connecting to. Think of it as a “digital signature” from the likes of websites such as Facebook or Google.
The security flaw is actually the result of a simple case of really poor programming. An extra “GoTo” command in the code caused the SSL encryption security check to be bypassed entirely. So, it’s not that the verification check failed, but that the check never actually executed in the first place. This has lead to the bug’s nicknamed of “GoToFail.”
Potentially, any data that has traveled by means of any open network, such as a public WiFi hotspot, could have been compromised if someone with malicious intent and knowledge of the vulnerability happened to be on the same network.
Security firm CrowdStrike explained the issue: “To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake. This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).”
The bug was limited to Apple’s apps and services, such as Safari and Messages. Third-party applications, such as Google Chrome, did not seem to be affected.
If you haven’t yet updated your iPhone to the latest version, it’s advised you update immediately and stay away from any untrusted WiFi networks until you get the chance to update.
Users of the iPhone 4 and later, 5th generation iPod touch, and iPad 2 and later should update immediately to iOS 7.0.6 either through iTunes or directly through their phone with over the air updates. Those who are running iOS6 devices should update to iOS 6.1.6. OS X Mavericks users should update to 10.9.2 using the Software Update feature on their computer.
You can test whether or not your device is vulnerable by going to https://gotofail.com in your Safari web browser.
By Alfredo Dizon, eParisExtra