Apple's iPhone, iPad and Mac Users at Risk with New Encryption Flaw: Understanding the Threat
By Precious Silva | February 27, 2014 5:07 PM EST
Apple made a subtle mistake in its implementation of a basic encryption feature. The feature should protect data from attackers trying to snoop around. It also supports desktop applications relying on the same code. The subtle mistake resulted to a considerable number of users at risk of data theft and similar wrongdoings. What went wrong with Apple's recent roadblock?
Craig Federighi, Apple Inc. Senior Vice President of Software Engineering speaks on stage during an Apple event in San Francisco, California. Reuters
Apple introduced a patch last Feb 21 for the company's iOS mobile platform. After a few days, the company was able to release a fix for desktop computers. Desktop units often run on applications depending on faulty code library---the Secure Transport.
According to Ashkan Soltani, who works as an independent privacy and security researcher, the mistake could cost a number of Apple and non-Apple applications. Programs affected include Software Update applications, Safari browser, iBooks, Calendar, FaceTime, Mail, Keynote and similar programs.
Other third party applications affected include desktop Twitter applications including virtual private network or VPN connections. The extent of damage depends on the configurations of the programs.
The Secure Transport library oversees the setup of encrypted connection for apps in the iOS 6 and up. This also includes applications under the OSX Versions 10.9 and up. According to Mr Soltani, majority of Web pages handle sensitive personal data through (Transport Layer Security) or SSL (Secure Sockets Layer). The security layers links the encrypted connection from the server to the user's computer. When someone tries to intercept the data, information will be unreadable.
Apple's mistake allows hackers to conduct a man-in-middle attack. This means attackers can provide fake data in Secure Transport disguising it as an authentic Web service.
"This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server," Alex Radocea, senior engineer with the computer security firm CrowdStrike, explained on his post last Feb 21. CrowdStrike reviewed Apple's patch for iOS following its release.
Adam Langley, a Google software engineer, pointed out how deeply buried the flaw is in the line of code.
"This sort of subtle bug deep in the code is a nightmare," Mr Langley said.
"I believe that it's just a mistake and I feel very bad for whomever might have slipped in an editor and created it," he added.
To contact the editor, e-mail:
Most Popular Slideshows
- Taylor Swift Named Forbes' Second Highest Paid Country Musician [PHOTOS]
- Forever Lost: Indescribable Anguish for Malaysia Airlines MH17 Families, Remains of Some Victims May Never Be Found (PHOTOS)
- Lunch with the Gods: Pope Francis Eats with Vatican Workers in Cafeteria
- Celebrities Suffering From Lupus: Facts About the Disease
Join the Conversation
- iPhone 6 Release Date Relevance to iOS Newbies: Specs Meaning, Price Considerations
- Sony Xperia Z3: Release Date, Five Features to Expect from New Android Smart Phone
- Samsung Galaxy Note 4 to Feature Retina Scanner Challenging iPad Retina and iPhone 6
- Nexus 6 Likely Confirmed as Motorola 5.9-Inch Phablet on Release Date – Report
- Xiaomi Mi4 vs. OnePlus One—Specifications, Features, Release Date and Price Showdown
- These 2 Questions Reveal if You Unwittingly Abuse Alcohol
- Jennifer Lopez and Her Wild 45th Birthday Party: How JLo’s Life-Size Birthday Cake from SamiCakes Boutique Was Made
- Blake Griffin’s Back Injury Is the Reason for His Withdrawal from Team U.S.A.
- Supernatural Season 10 Spoilers: Metatron Capable of Saving Castiel's Fading Grace
- Anderson Silva To Test the Octagon Anew After Freak Leg Injury, To Fight Nick Diaz in 2015