Apple security flaw allows hackers to beat encryptionJOSEPH MENN
A major flaw in Apple devices could allow hackers to intercept email and other communications that are meant to be encrypted, the company says.
Apple released a fix late last week for mobile devices running iOS, such as iPhones, iPads and iPods. While many will update automatically, users are advised to run a software update on their Apple devices (Settings > General > Software Update).
The company said it will issue a software update "very soon" to cut off the ability of spies and hackers to grab email, financial information and other sensitive data from Mac computers.
Confirming researchers' findings that the security flaw in mobile devices also appears in notebook and desktop machines running Mac OS X, Apple spokeswoman Trudy Muller said: "We are aware of this issue and already have a software fix that will be released very soon."
Once that fix came out, experts dissected it and saw the same fundamental issue in the operating system for Apple's personal computers.
That started a race, as intelligence agencies and criminals will try to write programs that take advantage of the flaw on Macs before Apple pushes out the fix for them.
"It's as bad as you could imagine, that's all I can say," said Johns Hopkins University cryptography professor Matthew Green.
According to Apple, the update "provides a fix for SSL connection verification". SSL, or secure socket layer, allows data to be encrypted when sent over the internet. It is shown to users with the website prefix "https" and the symbol of a padlock.
The issue is a "fundamental bug in Apple's SSL implementation," said Dmitri Alperovitch, chief technology officer at security firm CrowdStrike.
The flaw allows hackers to intercept emails to or from a users phone, and alter them to "deliver exploits to take control of your system," said Alperovitch.
The flaw is so odd in retrospect that researchers faulted Apple for inadequate testing and some speculated it had been introduced deliberately, either by a rogue engineer or a spy. Former intelligence operatives said the best "back doors" often look like mistakes.
Muller declined to address the theories.
Adam Langley, who deals with similar programming issues as a Google engineer, wrote on his personal blog that the flaw might not have shown up without elaborate testing.
"I believe that it's just a mistake and I feel very bad for whomever might have slipped," he wrote.
The problem lies in the way the software recognises the digital certificates used by banking sites, Google's Gmail service, Facebook and others to establish encrypted connections. A single line in the program and an omitted bracket meant that those certificates were not authenticated at all, so that hackers can impersonate the website being sought and capture all the electronic traffic before passing it along to the real site.
In addition to intercepting data, hackers could insert malicious web links in real emails, winning full control of the target computer.
The intruders need to have access to the victim's network, either through a relationship with the telco carrier or through a Wi-Fi wireless setup common in public places. Industry veterans warned users to avoid unsecured Wi-Fi until the software patch is available and installed.
The bug has been present for months, according to researchers who tested earlier versions of Apple's software. No one had publicly reported it before, which means that any knowledge of it was tightly held and that there is a chance it had not been used.
But documents leaked by former US intelligence contractor Edward Snowden showed NSA agents boasting that they could break into any iPhone, and that had not been public knowledge either.
Apple did not say when or how it learned about the flaw.