Apple's iPhone, iPad and Mac Users at Risk with New Encryption Flaw: Understanding the Threat

By @peevesky on
Craig Federighi, Apple Inc. Senior Vice President of Software Engineering Speaks on Stage During an Apple Event in San Francisco
Craig Federighi, Apple Inc. Senior Vice President of Software Engineering speaks on stage during an Apple event in San Francisco, California. Reuters Reuters

Apple made a subtle mistake in its implementation of a basic encryption feature. The feature should protect data from attackers trying to snoop around. It also supports desktop applications relying on the same code. The subtle mistake resulted to a considerable number of users at risk of data theft and similar wrongdoings. What went wrong with Apple's recent roadblock?

Apple introduced a patch last Feb 21 for the company's iOS mobile platform. After a few days, the company was able to release a fix for desktop computers. Desktop units often run on applications depending on faulty code library---the Secure Transport.

According to Ashkan Soltani, who works as an independent privacy and security researcher, the mistake could cost a number of Apple and non-Apple applications. Programs affected include Software Update applications, Safari browser, iBooks, Calendar, FaceTime, Mail, Keynote and similar programs.

Other third party applications affected include desktop Twitter applications including virtual private network or VPN connections. The extent of damage depends on the configurations of the programs.

The Secure Transport library oversees the setup of encrypted connection for apps in the iOS 6 and up. This also includes applications under the OSX Versions 10.9 and up. According to Mr Soltani, majority of Web pages handle sensitive personal data through (Transport Layer Security) or SSL (Secure Sockets Layer). The security layers links the encrypted connection from the server to the user's computer. When someone tries to intercept the data, information will be unreadable.

Apple's mistake allows hackers to conduct a man-in-middle attack. This means attackers can provide fake data in Secure Transport disguising it as an authentic Web service.

"This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server," Alex Radocea, senior engineer with the computer security firm CrowdStrike, explained on his post last Feb 21. CrowdStrike reviewed Apple's patch for iOS following its release.

Adam Langley, a Google software engineer, pointed out how deeply buried the flaw is in the line of code.

"This sort of subtle bug deep in the code is a nightmare," Mr Langley said.

"I believe that it's just a mistake and I feel very bad for whomever might have slipped in an editor and created it," he added.

Join the Discussion