February 24, 2014 3:58 pm

Apple apps left vulnerable to encryption flaw

Cyber security experts argue white hat hackers are vital to security research – but these hackers are sometimes leery of reporting vulnerabilities to government agencies and vendors because of legalities.

Nico De Pasquale Photography/Flickr

TORONTO – A major security vulnerability affecting Apple devices has security experts and users worried, as the list of affected apps grows.

Ashkan Soltani, an independent security researcher, revealed on his blog that some of the core applications within Apple’s desktop operating system are linked to a security flaw within Apple’s software, leaving those who use the Safari web browser and Apple’s Mail app at risk.

The security vulnerability was discovered late Friday after Apple released a software update for iOS devices that fixed a flaw in its SSL/TLS protocols, which help keep a personal information encrypted.

It was later discovered that the flaw affected not just iOS devices, but Apple’s desktop and laptop computers too.

According to Apple’s description of the software update, the older software “failed to validate the authenticity of a connection.”

Story continues below

SSL (Secure Socket Layer) and TLS (Transport Layer Security) are both encryption protocols that help keep personal information private while browsing on secure sites, such as online banking sites. This also helps protect against “eavesdroppers” who may use a public Wi-Fi network to spy on what should be private communications.

The vulnerabilities facing older versions of iOS and Apple’s OS X platform are located in a programming error that skips over one of the key security checks necessary for SSL and TLS protocols, according to Soltani.

This means that users who have not updated their iOS devices to the most recent software update (iOS 7.0.6) and those using Apple’s desktop or laptop computers are left vulnerable to hackers and eavesdroppers.

“Effectively, this vulnerability allows a moderately sophisticated attacker to monitor your communications with even the most secure sites and services,” said Soltani on his blog.

“Many of the core programs on iOS and OS X rely on this library for communications, which means ANY app that relies on this library (not just Safari) was vulnerable. For example, if your Calendar or Mail app is synced to Gmail, those communications were vulnerable to eavesdroppers on the network as a result of this error.”

The FaceTime app, Keynote, iBooks, and the Twitter for Mac app are all affected by the vulnerability that has been nicknamed the “GoTo Fail.”

In a statement to Global News, Apple acknowledged it was aware of the security flaw in its OS X devices, but could not provide a definitive date as to when a fix will be issued.

“We are aware of this issue and already have a software fix that will be released very soon,” read Apple’s statement on the matter.

iPhone, iPad, and iPod users must update their devices to iOS 7.0.6 to fix the software issue.

Users can go to their Settings menu, tap General, and “Software Update,” to download and install the latest iOS software.

“I think the biggest issue I have with this story isn’t that the bug exists, but that a bug of this kind – with such wide impact – wasn’t discovered for over 5 months,” Soltani told Global News via email.

“This is the type of security unit-testing most companies do (or should be doing), especially in this day and age of government surveillance.”

Unfortunately, Soltani noted that the average user wouldn’t be able to tell if they were being targeted as a result of the security flaw – only a sophisticated researcher would have the tools to do so.

The security expert recommends that users employ a different web browser such as Google Chrome or Mozilla Firefox if they are using a public Wi-Fi network.

Global News will update this article when Apple releases a software update for OS X devices.

© Shaw Media, 2014

Report an error

Comments