February 23, 2014 at 3:30 p.m. PST
Apple just released the iOS 7.0.6 update to address a serious security issue. SSL encryption keys are not being verified, which could theoretically pose a security threat. It’s worth upgrading to iOS 7.0.6, as it patches a security flaw that could compromise private data. This issue also affects Mac OS X 10.9 Mavericks and Apple TV (2nd and 3rd generation models), in addition to the iPhone, iPad and iPod touch.
What does “SSL Connection Verification” Mean?
Secure Sockets Layer (SSL) encryption keeps the exchange of data between your browser or app (the client) and an internet entity (a server) secure. For example, when you log in to a web-based email provider, your authentication is passed using SSL encryption. This encryption makes it virtually impossible for a malicious user sniffing the network to intercept your data.
The issue with iOS and OS X Mavericks is that this secure connection is not verified. The data are still encrypted for any site using SSL. This means that only a malicious user in a privileged network position could possibly intercept your data. Additionally, a malicious site could use an SSL certificate issued by themselves instead of a valid certificate authority. They could possibly pose as a bank’s website, for example, and seem to have a legitimate, secure connection.
Adam Langley, a software engineer at Google, specializes in security. He wrote a very detailed article about this issue. The issue surfaced in open source code released by Apple, as part of OpenSSL. The problem is in the error handling code. If the SSL connection experiences an error verifying the certificate, and extra goto statement allows the connection to be established without proper verification. This could allow a malicious user in a privileged network position to access a user’s data. This is highly unlikely, but the flaw is still unacceptable.
SSL certificates are typically issued by a trusted authority, however, anyone can create their own. Developers often do this for the purpose of internal use. It is costly and time-consuming to obtain a proper SSL certificate. The server has to be vetted and the certificate must be purchased. This ensures that no malicious users can get an SSL certificate. The flaw in Apple’s code could allow any SSL certificate to be accepted as coming from a trusted authority.
There’s a few ways this vulnerability could result in a security breach. If you are on a shared WiFi network, someone on the network could perform a “man in the middle” attack. The malicious user could potentially get between you and a legitimate website, grabbing your login information or other sensitive data. For this to happen, you would have to be using a public WiFi network (at a coffee shop, for example) and the malicious user would need to be on this same network.
Another possibility is that a hacker sets up a malicious site that has a similar URL to a site that you use. If you type in the incorrect URL and it looks like the site you use, the user could intercept your information. You could also be drawn to this site by a link, email or a text message, which is known as phishing. On rare occasions, malicious sites can even appear in search results. This can happen regardless of the flaw, because malicious sites are able to get SSL certificates, but not from trusted authorities. SSL verification would protect you from these vulnerabilities. You wouldn’t be able to connect to a site with a bad SSL certificate. This doesn’t mean that SSL encryption doesn’t work for legitimate sites — it’s just not verified. This makes it easier for a hacker to pose as a legitimate website.
It’s highly improbable that anyone would be affected by this flaw, but it is theoretically possible. A lot of bad things would have to line up neatly for this to happen. Adam Langley has a server you can use to test this issue. It uses an SSL certificate with an invalid key. If your can see this site in your browser, you are affected by this bug.
UPDATE: Some users are reporting short battery life and an unusually warm device after upgrading to iOS 7.0.6. I haven’t experienced this issue. I recommended charging your device before upgrading, then unplug your device and run the update. After upgrading, follow these steps to calibrate your iPhone, iPad, or iPod touch battery.
How to Stay Secure
Not every Apple device and computer are affected. The flaw affects iOS devices running iOS 6 and 7 and Mac OS X Mavericks (10.9), as well as 2nd and 3rd generation Apple TVs.
First, download and install the 7.0.6 security update. I have installed it and so far it works well. I haven’t noticed any regressive bugs. Battery life is unaffected. The patch is about 12 MB, so it is only fixing the SSL verification issue. If your device can’t run iOS 7, Apple has made a patch for iOS 6 — 6.1.6. There’s even a patch for Apple TV.
If you have an iOS device that is compatible with iOS 7, but haven’t upgraded, you must upgrade to iOS 7 to patch this vulnerability. The iOS 6.1.6 patch is only offered to devices that cannot upgrade to iOS 7, such as the iPhone 3GS.
You can update your device by tapping Settings > General > Software Update, then follow the on-screen instructions. Make sure your device is plugged in or has sufficient battery life to run the update. The update should take no more than 10 minutes. If you are interested in following the best process for upgrading iOS, read this article. For Apple TV, go to Settings > General > Update Software, then follow the on-screen instructions.
Apple announced that Mac OS X 10.9 Mavericks has the same security flaw, but a patch has not yet been released. The update will be coming soon. In the meantime, be careful about using your Mac on public WiFi networks. Your home and office WiFi network shouldn’t be a problem, unless you have sophisticated hackers in these environments. If that’s the case, you have much bigger concerns!
If you are using a Mac with OS X Mavericks or an affected iOS device, use Chrome or Firefox for your browser. Both browsers use different SSL technologies, so they are unaffected by this issue. I verified that Chrome for iOS is not affected by this issue on an unpatched iPad running iOS 7.0.4:
The vulnerability is evident when using Safari:
The Sky is Not Falling
As with any flaw in Apple products, the media are having a field day. Journalists who don’t understand this issue are misrepresenting it as something that leaves users wide open to hackers. This is not the case. A malicious user needs to have privileged network access to exploit this vulnerability.
Apple flaws are a great way to get eyeballs on websites, however, these Chicken Little exaggerations don’t help the end-user. Whether you have the patch or not, it is extremely unlikely that your device will be compromised.
This security flaw is nothing to be thrilled about, but it is certainly nothing to lose sleep over. In the wake of the Target hacking and revelations about the NSA, it’s amusing to see the Chicken Little “sky is falling” response to this issue. OS X and iOS are still considered to be more secure than most other operating systems.
Any small flaw in Apple products is blown out of proportion. Even with this flaw, there are operating systems with far more vulnerabilities and malware issues. None of these problems make the news. This is the price Apple has to pay for popularity, although Microsoft never seemed to suffer this scrutiny during their heyday.
We can only hope that this flaw will improve Apple’s product quality. Apple has to be much more careful about their code and improve quality assurance. This awareness was gained without putting users at much risk. There are no reports that users were actually compromised by this vulnerability. It is clear, however, that Apple must take security more seriously.