Apple’s System Change Reveals Security Breach

Published: February 24, 2014

Apple’s System Change Reveals Security Breach, The minor upgrade barely made a ripple on the Internet, but a closer look uncovers a threat to users., Apple released an update to the iOS 7 operating system Friday. It seemed like a minor one, and it barely made a ripple on the Internet. But a closer look reveals that the update was prompted by a coding error that left iPhones and iPads (iOS), as well as Macs (OS X), very vulnerable to attacks. In other words, if you want your online information to remain secure, update your phone. Like, right now. And pray for a fix for OS X soon.

That’s the short story. The long story begins with the brief explanatory note on “Data Security” that Apple released alongside the iOS 7.06 update Friday:

“An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.”

If you’re a normal person, you probably have no idea what that means. Let’s translate:

SSL is short for Secure Sockets Layer. It’s a tool that keeps all the communication between your browser and your websites’ servers private and secure. TLS, or Transport Layer Security, does pretty much the same thing. As you browse, the two work together as cryptographic protocols to make sure the browser and website servers you’re interacting with are legit. They’re sort of like a Secret Service detail for your online activity.

SSL/TLS are actively working in the background of your browsing, paving the way for secure transactions whenever you log into BankofAmerica.com or make a PayPal payment. You can tell these systems are working when a little padlock symbol appears in your browser bar to the left of the website URL you’re visiting, like so:

The security breach that Apple so nonchalantly revealed on Friday allows “attackers with privileged network positions” to steal any information during your usually protected online banking sessions, or Facebooking, emailing or OkCupiding.

Just how “privileged” does a wrongdoer’s “network position” have to be? Well. In order to eavesdrop on your online activity – otherwise known as launching a “man-in-the-middle” attack – she just needs to be on the same cafe’s WiFi network as you. Not cool.

And while Apple has just released a fix for this error in iOS, there’s nothing to stop a man-in-the-middle attack from happening if you’re using OS X. We do expect that very soon, however.

Apple hasn’t offered details on how this actually happened and thus can’t speak to the specific apps affected, but cryptology experts have warned OS X users to avoid using Safari, iCal or any other app that relies on this security system to keep data secure. The only thing you can do to avoid an attack while we wait for an update is to remain on secure networks. You might want to avoid connecting to cafe networks and other WiFi hotspots not in your complete control.

0 votedvote