Update your iOS devices now!
Feb 23, 2014 // Security //

Apple have just released iOS 7.0.6. Part of this release includes a fix for a bug that destroys any capability of encrypted connections. SSL or TLS sessions on devices prior to 7.0.6 are far from secure.

So, what’s the issue? Well, anything, literally anything, you do on your device that you expect to be transmitting over a secure connection can be captured and/or modified by an attacker. Your usernames and passwords, your credit card details, your banking app, iTunes, iCloud. I am struggling to think of an issue that could have been worse for Apple to identify.

The secure transport component of the Operating System has been failing to validate the authenticity of the certificate or identity of the system the device is accessing over the supposed secure connection. In Apple’s SSL security library is a function named SSLVerifySignedServerKeyExchange() Within this function is an incorrect double GoTo Fail. There should be just one GoTo Fail command but because of the incorrect second command being present the SSL signature verification will in fact never fail, therefore skipping a vital verification step in the whole SSL handshake.


At this time it is unclear just how far back this bug has been present but certainly up to an including iOS 7.0.5 this is why I am recommending everyone to update, as soon as possible, to iOS 7.0.6. Until you do, only use protected, trusted WiFi networks and be careful about what data you are entering into your i-Devices. If you are unable to update immediately, then set ‘Ask to Join Networks’ to OFF, this will prevent your devices from prompting you to connect to untrusted networks.

Why is this suddenly a major issue if it is suspected that the vulnerability has been around for quite some time? Well, because it is now out in the open and the technique on how to capture or intercept the data is in the public domain. People (with no special skills or talent) can capture all of the data flowing from/to your i-Devices, even the data that you think should be on a secure transmission.

What is possibly even more worrying is that the vulnerability also affects the SSL Security Library on OSX meaning Apple Macs are also affected but Apple are yet to release a patch fro OSX fixing the vulnerability.

The advice again, update to iOS 7.0.6 on all devices as soon as you possibly can on a secure Wi-Fi network, until you do refrain from submitting private data from the device. As for Apple Macs, I think I would just switch mine off until a patch was available!



Got something to say? Go for it!