By now, millions of people know that Apple – the world’s largest technology company – released an innocuous-sounding update to fix a critical security flaw in its iPhones and iPads late Friday afternoon.
Coincidentally, Friday is often the time of the week where bad news goes to get buried – and what this update sought to fix was as bad as bad news gets.
For over 18 months, it has been trivial for an attacker to lay your digital life bare. Almost all of Apple’s devices – and more recently, some of its computers – have been vulnerable to digital eavesdropping since September 2012. Someone with control of your favourite coffee shop’s router, say, could intercept seemingly encrypted information as it makes its way to Facebook, or the website of your bank.
We’re going to explain what’s going on and why you should be concerned. But before you continue reading we recommend you stop what you’re doing and update your devices now. iPhones, iPads and iPod Touch devices running iOS 7 are affected – but the bug is so serious that there’s a rare update for older generation devices still running iOS 6, too. The bug also exists in Apple computers running the latest versions of OS X, Mavericks version 10.9 and higher. A patch for affected Macs was only just released this afternoon.
So, what happened?
The security layer that is supposed to prevent this sort of thing from happening was waylaid by a very simple bug. A single line of code, somehow inserted where it did not belong, invalidated a very, very important security check.
The repercussions, according to an Apple security disclosure, are this: “An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.”
In English, there are two protocols that are fundamental to the secure transfer of data on the Internet today. One is called Secure Sockets Layer, or SSL, and the other is Transport Layer Security, or TLS. Broadly speaking, the two protocols handle the same thing – the encryption of data being transferred between you and remote servers. That server could be Google or Facebook. It could be your bank.
When you try to connect to a website or service that uses one of these two protocols, your computer and the remote server do a sort of digital handshake. Verification keys are exchanged. The server uses your keys to confirm that you are, indeed, who you say you are, and your device is supposed to do the same for the server.
Except, in this case, Apple devices weren’t conducting the requisite server checks.
That “privileged attacker” Apple mentioned in its security disclosure could be the guy in the coffee shop on his laptop working on a “screenplay.” It could be your boss. Essentially, anyone with access to the gateway through which you connect to the Internet – usually a router or switch – could masquerade as anyone, from Facebook to your bank.
This attacker could, unbeknownst to you, conduct what is called a man-in-the-middle attack. He or she could simply siphon off your data as it is being sent and received, or even modify data as it passes through.
What makes this bug so alarming is that, to the user, there’s no sign that anything is amiss. Everything happens behind the scenes. You can usually trust that a connection is secure by the presence of a lock icon, somewhere near your web browser’s address bar. But now that icon is impossible to trust. Connections many believed to be secure may have been anything but.
It’s important to remember that this bug affects far more than just browsing. It affects apps, services – pretty much anything that communicates over the Internet using Apple’s implementation of SSL or TLS. That means the Calendar and Mail apps on your Mac and iPhone are vulnerable, for example, as are countless other third-party apps that rely on Apple’s security code.
Software such as Google Chrome and Mozilla’s Firefox web browser, however, which use alternate implementations of SSL and TLS, are believed to be secure.
On a large scale, man-in-the-middle attacks are hard to pull off. What’s more likely is a localized attacker compromising the router at your home, or at a restaurant or bar. As such, the likelihood that your data was captured over the past 18 months is slim – but all bets are off now that the exploit is more widely known.
Proof-of-concept attacks already exist, in fact. There is still some cause for alarm. So update your Apple devices, and as always, exercise common sense. Wireless networks – and the devices we use to connect to them – are rarely as secure as we believe them to be.