For 18 months, some of Apple Inc.’s most popular products contained a glaring security flaw – one that had the potential to make its users vulnerable to hackers and scam artists.
The flaw has led to an outcry from numerous security experts, forced developers to rush out a software fix for iPhones, iPads and Mac personal computers, and caused the world’s largest technology company much embarrassment. But will it cause a noticeable hit to the bottom line? Not likely.
Late last week, amid an outcry from several security experts, Apple issued a security patch for its mobile devices, designed to fix an error that has come to be known as the “Goto fail” bug. This week, it released a similar patch for its Mac computers.
The glaring error can be traced back to a single line of faulty computer code. The code has to do with two network protocols: the Secure Sockets Layer (SSL) and the Transport Layer Security (TLS).
In simple terms, the protocols dictate the process by which the user’s computer checks to see whether the websites the user is visiting really are what they claim to be.
For example, a high-security website, such as that of a bank, may use a secure “certificate” to establish that it really is the bank’s site and not, say, a fake site created by an opportunistic hacker.
Because of the error in the code, certain Apple hardware and software essentially failed to perform that check properly – meaning that, in certain cases, a third party could access the supposedly secure information flowing from the user to that site.
In reality, the likelihood of that happening, even with Apple’s security flaw, is exceedingly low. The malicious user exploiting the vulnerability would need to have access to the wireless network that the victim uses to get online. (As such, the flaw is perhaps most dangerous for users who spend a lot of time on easily accessible networks, such as the free WiFi offered by some coffee shops, for example.)
But what alarmed many security analysts and Apple customers are the circumstances surrounding the security lapse. For one thing, the error has the potential to affect virtually any software that uses the SSL and TLS protocols to connect to the Internet. The problem also affects a range of Apple devices, from iPhones to iPads to Mac computers. Most concerning, the vulnerability has existed, unfixed, for a year and a half.
“It’s difficult to overstate the seriousness of this issue,” wrote security expert Aldo Cortesi, who reconfigured a popular network tool to exploit the Apple error, as a means of showing how relatively easy it would be for a malicious actor to do the same.
For years, Apple computers were seen as a safe haven from the myriad viruses that plagued Windows-based machines. Indeed, many Mac computer owners bragged about the technology’s relative lack of malware, bug-filled code and the so-called “blue screen of death” that all too often struck Windows machines.
But Apple’s new security lapse – about which the company has said very little, beyond issuing the software fixes – comes at a time when companies such as Target and information security firm RSA have had to deal with the fallout from massive security and privacy breaches.
And yet, perhaps because of the highly technical nature of such breaches, or perhaps because many users simply don’t care enough about them, Apple’s error shows little sign of affecting the company’s business in any significant long-term way.
Apple shares are down slightly since news of the security flaw exploded – dropping about 5 per cent over five days. But the only way that Apple will suffer lasting damage is if this security flaw shows real evidence of user harm, or if it proves to be the first of many such problems, said Neil Bearse of the Queen’s University School of Business.
“How much do ordinary people like you and I understand the ins and outs of SSL? Not very much,” Mr. Bearse said. “Without any knowledge of people getting hacked, there’s little damage for Apple long term.”