Apple recently released iOS 7.0.6, and 6.1.6 in order to address a dangerous security hole in the mobile operating system. If you haven’t updated your device yet, it’s important, do it now.
While Apple has fixed the issue for iPhone and iPad users, the vulnerability still exists in Mac OS X.
So, what exactly is the vulnerability; what data is at risk?
The vulnerability is in the way Apple’s software “handshakes” with secure servers on the internet. For a detailed explanation, the wikipedia article on SSL/TSL is excellent. To sum it up, SSL (and its successor, TSL) is a protocol that facilitates a virtual “handshake” between your computer and a server. If you go to http://www.google.com, your browser loads the non-secure version of google.com. If you change the URL to add an S to the “http” you get https://www.google.com, and your computer checks Google’s SSL credentials to verify the server’s identity. The visual cue you are viewing a secure site is a padlock, usually in the browser’s address bar.
This handshake is where Apple’s vulnerability becomes a problem. Apple’s software checks for the SSL credentials, but can be easily tricked into a “man in the middle” attack, whereby someone could fake SSL credentials and Apple’s software would think it was actually connected securely to the right server.
So what data is at risk? Theoretically, lots.
Which Apps should I stop using?
Only Apple’s own apps are in danger. If you use Google Chrome or Firefox for web browsing, you’re ok browsing the web.
BUT, Apple’s Mail program is vulnerable. Some people use SSL certificates to communicate securely via email. Mail’s secure communication is vulnerable until Apple releases an update to close the hole. Additionally, Apple’s Calendar app, FaceTime, Keynote, Twitter, and iBooks are all at risk.
Am I at risk all the time?
Honestly, if you’re practicing good internet security, you’re probably fairly safe.
In order the someone to take advantage of the security hole, they would have to be connected to the same local network as you. Meaning, they would have to be on your home or work wifi. To be safe online, limit work you do on networks other than your safe home or work network. If you’re at the coffee shop, airport, public library, or ANY NETWORK YOU’RE NOT CONFIDENT IS SECURE make sure you use Firefox or Chrome to access your email and calendar instead of Apple’s Mail and Calendar programs.
If you have a VPN connection to your work network, use it.
This security flaw is a great opportunity to think about network security. Is your home wifi protected? Have you changed the default passwords from when your network was originally installed? Is it worth it to set up a VPN connection, or invest in a VPN service? Have you applied all available software updates?
It’s becoming more and more important to have a grasp on good practices for keeping safe online. Never hesitate to reach out to someone (feel free to email me) who knows more about this if you’re unsure.
UPDATE 2/25/2014: Apple has released an update to fix this issue. Read more about it here.