Latest posts by Alvin Bryan (see all)
- Millionaire Tyupkin Malware ATM Hackers May Come to US, India After Hitting Europe - October 23, 2014
- BitLicense Will Allow Bitcoin Spying in New York - October 22, 2014
- Australians are Fighting Data Retention Laws - October 22, 2014
A new defect has just been uncovered in the Mac OSX and iOS transport layer security. This defect makes all versions from 5th gen iPod, iPad 2 and iPhone 4 vulnerable to hackers. It also affects newer Mac OSX versions. Apple did not comment on any known attacks, or if this was how they discovered the flaw. But Professor Matthew Green from cryptography at Johns Hopkins University commented that the defect is very serious. CrowdStrike Inc.’s chief technology officer Dmitri Alperovich identified the defect as an SSL implementation bug. Senior Google engineer Adam Langley reiterated that Apple operating systems are in real danger.
iOS and OSX SSL Implementation Bug
The discovered defect is in how the Apple operating systems carry out secure sockets layer or SSL sessions. This means that iOS and OSX cannot properly authenticate connections. This is a very serious security issue. SSL is responsible for protecting users on websites where sensitive information is entered. The defect can therefore be abused by third parties to gain access to this information. Hackers could use it to intercept all types of data exchanges between users and websites. This includes account usernames and passwords, debit and credit card information, and bank security codes. All this information is supposed to be encrypted so that it cannot be accessed by third parties.
Because of the bug in iOS and OSX, all devices running newer versions of the Apple operating systems are in great danger. For instance, one of the affected devices connected to a shared network like a Wi-Fi zone is open to attack. Any other party on the same network can access all the traffic moving to and from the device. Even communications with sites protected by HTTPS can be seen. And government agencies that have access to the data recorded by the user’s carrier can also see all the transmitted data. A hacker can also exploit this defect to pose as a protected site and intercept all communications. This puts all online transactions such as bank withdrawals and purchases in the hands of the intruder.
Security experts have discovered that the bug is a mistake that could have been easily avoided. The protocols used for SSL authentication are not new or difficult to implement. This is cause for great shame and puts a stain on Apple’s reputation. And this is not the first incident to mar the company. Very recently, evidence surfaced that the government has had complete success over the past years in hacking into iPhones.
The defect exists in 5th gen iPods, iPad 2 and iPhone 4 and higher, and all new versions of Mac OSX. It is yet unknown if the flaw exists in earlier OS versions. And the danger is more serious for Mac users, Apple reported on Friday. They did not release any more information about how the defect was uncovered. But they did release updates and patches for the above iOS versions. There is as yet no available patch for Mac OSX. The iOS bug is not yet fixed, however, and even with the patches users are still vulnerable. Hackers can easily develop software to manipulate the defect. In a way, the patches make it worse because they give hackers an idea of how the bug works. It could take as little as a few hours to create a program that will render iOS and Mac OSX security useless. Apple declined to comment further on the issue.
VPN for iPhones and Macs Can Help
Because the flaw has to do with encryption, iOS and OSX devices can be protected by a VPN for iPhone or Mac. A VPN for iPhone is especially designed to tie in with iOS. This means it can secure all incoming and outgoing connections. The same goes for VPNs designed for OSX. What the VPN does is first encrypt all data and traffic before it passes through the network. This additional encryption will prevent hackers from being able to read communications. The VPN then sends the encrypted packets through a secure VPN tunnel. The user’s traffic is then routed through a VPN server that anonymizes the user’s activities. This prevents data interception and tracking of a user to the website where transactions take place.
iOS and OSX devices have some native VPN compatibility. But because the inherent defect was discovered in the OS, it might not be safe. There are no reports yet regarding this, but it would be safer to use an independent VPN provider. Apple is known for their proprietary attitude, so not all VPN solutions will work properly with iOS and OSX devices. Choose a VPN for iPhones and Macs that has a good track record. iPhone, iPad, iPod and Mac users who have been or will begin using VPN services from third party providers must ensure that they are connected to the VPN at all times. This will help keep their data and online transactions secure until Apple issues a permanent fix.
Updates are available for iOS 6 and iOS 7 for the bug that first appears in iOS 6.0 due to a code change prior to this version’s release. There’s now also a fix for Mac OSX 10.9.2, available since Tuesday. Mountain Lion has an available update, but the relationship to the bug is not confirmed. Use gotofail.com to check if you are still vulnerable. A green message means you a re OK. Yellow indicates possibly vulnerable apps. Red means you need to patch your browser, or use a different one entirely.
As the software updates were released, a report came in from FireEye that it is still possible for hackers to monitor user activity on iOS. FireEye is a security firm that has developed an iOS 7 proof-of-concept monitoring app. It worls like a keylogger in that it records everything tapped on screen. FireEye is working with Apple on this vulnerability but Apple declined to comment on the matter.