- Back to Home »
- hacking , ios , mitm , mobile »
- Apple's iOS vulnerable to Man-in-the-middle Attack, Install iOS 7.0.6 to Patch
Posted by : Unknown
April 08, 2014
Apple's iOS vulnerable to Man-in-the-middle Attack, Install iOS 7.0.6 to Patch
Apple's latest 35.4 MB update of iOS 7.0.6 doesn't seem important at first, but it contains a critical security patch that addresses a flaw with SSL encryption.
Yes, a very critical security vulnerability that could allow hackers to
intercept email and other communications that are meant to be encrypted
in iPhone, iPad and Mac computer.
Apple provides very little information when disclosing security issues, 'For
the protection of our customers, Apple does not disclose, discuss, or
confirm security issues until a full investigation has occurred and any
necessary patches or releases are available.' said in the security advisory.
Cryptography experts immediately tried to figure out what was wrong with
Apple's implementation of Secure Sockets Layer (SSL) and the details
are:
Impact: The vulnerability assigned CVE-2014-1266 and affects both the iOS and OS X operating systems, describes as 'Secure
Transport failed to validate the authenticity of the connection. This
issue was addressed by restoring missing validation steps.' in other words, anyone with a certificate signed by a "trusted CA" can perform Man-in-the-middle (MITM) attack.
So, If an attacker has access to a mobile user's network, such as both
are sharing same wireless service, the hacker could intercept
communication between the user and protected sites such as Gmail and
Facebook.
More Technical details are available here.
More Technical details are available here.
Practically: Apple did not say when or how it learned about the
weakness nor did it say whether the flaw was being exploited. But using
such flaw NSA like agencies can hack all your passwords and messages, as
they did with Belgium's largest telecom provider Belgacom employees by spoofing LinkedIn and Slashdot pages to hack them.
The fundamental flaw resides in the Apple's SSL implementation, by
exploiting that an attacker can bypass SSL/TLS verification routines
upon the initial connection handshake to perform full interception of
encrypted traffic between you and the destination server.
'Software update mechanisms which download and execute code without
cryptographically verifying signatures of the downloaded code may be
exploitable. However, update mechanisms which correctly employ signature
verification of downloaded contents are less likely to be exploitable
by this vulnerability.' John Costello, Security Researcher at CrowdStrike said in a blog post.
Security Patch: The Company has also released an Apple TV update
and iOS 6.1.6 today to address the same issue. Update your Apple devices
and systems as soon as possible to the latest available versions.
To Check, whether your web browser (especially Apple's Safari) is vulnerable to SSL flaw, Click here.
To Check, whether your web browser (especially Apple's Safari) is vulnerable to SSL flaw, Click here.
To update your iOS device, first make sure you're on a trusted,
password-protected home or office Wi-Fi network. If you're running iOS
7, you'll be prompted to install iOS 7.0.6; if iOS 6, it'll be iOS
6.1.3. Tap Download and Install it.
The update is available now for download from Apple's Website.