Apple released the iOS 7.0.6 update on Friday, stating in a very subtle manner that a security bug had been fixed. The flaw turned out to be very important, allowing hackers to access or intercept encrypted data from users. Apple’s support page reported the bug without emphasis; “An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.” Briefly describing the flaw with another short statement; “Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.”
Unfortunately, Apple failed to report the gravity of this vulnerability. No statement was made as to when they learned about the security flaw or if it had been exploited. Adding to the situation, the same flaw exists on OSX and it has not been patched just yet, but Apple stated it should’t be long before rolling out an update. There have been reports that the flaw exists since the release of iOS 6.0 back in 2012.
What Does This All Mean?
The seriousness of the situation could not be more important. Let me quickly explain what this flaw is for the average everyday user. SSL is the security used to encrypt your personal data. It stands for Secure Socket layer, and it ensures that all communications between your computer and other points on the internet remain safe. For example, when sending and email, using online banking or making an online purchase, SSL encrypts the data to ensure no one else can intercept or access your sensitive information. You can check if SSL is turned on in your browser, usually with an icon of a lock that appears near the address bar. Additionally websites secured with SSL have ‘https://’ at the start of the URL.
When the encryption is compromised, cyber criminals can intercept the data while it is being transmitted. As an example, you go and login into your email, when you do that, you sent your login information to the email server, such as Yahoo or Gmail for example. Your login information can be captured as it is being sent to the mail servers and now the hacker has your credentials.
Hackers could achieve this very easily if they have the possibility to be connected to the same network as the Apple device. For example, if you are at your local coffee shop, connected to their Wi-Fi, a hacker in the same shop can spot your Apple laptop and take advantage of the flaw to steal data you may transmit while surfing.
Matthew Green stated to Reuters that the situation is “as bad as you could imagine, that’s all I can say.” Pretty scary. Apple users need to become aware in bigger numbers and stop believing that using Apple devices will automatically keep them safe online.
Apple did not comment on how the error was made. It is an embarrassment that such an advanced and established brand would let this happen since the release of iOS 6.0. Recent leaked intelligence documents had already brought unwanted attention to Apple, claiming that authorities had the ability to break into all iPhones without any failure, displaying how weak the security was to start with. Large corporate spying was undoubtedly used by those who knew.
How To Fix It Or Stay Safe?
If you have an iOS Device, iPhone, iPad or iPod, we highly suggest you download the latest update right this moment if you haven’t done it yet. Update to iOS 7.0.6 for new devices and all 3GS devices require iOS 6.1.6 update instead.
What about OSX? If you are using Apple computers, we urge you to stay off public Wi-Fi and if you must use it, do not access personal information, email, banking or making online purchases. Keep in mind, now that it has been reported, a flood of cyber-criminals will attempt to exploit unsuspecting users that browse with Safari. A good way to keep safe is to use third-party browsers Chrome and Firefox which are not affected by the OSX SSL flaw.
You should be ok on your own secure network, local businesses using apple devices, should probably keep public Wi-Fi turned off until an official patch is released. Although there is an unofficial patch, it is not easy to install for beginners and we suggest to wait until Apple releases the fix to avoid any future operating system glitches. As mentioned, Apple advised having the fix released “very soon”.
In the meantime, if you must browse on secure sites or access personal accounts, at the bare minimum, do not use Safari. You can also check out some extra security features by reading our dedicated article for Mac OSX VPNs.