An insecurity expert has warned that people need to upgrade the software on iPhones and iPads or else they will be caned by a nine year old flaw that Apple has just got around to fixing.
The flaw allows anyone to snoop the secure data traffic of unpatched iPhones and iPads using a simple tool.
If those devices aren’t patched, or users are still using older phones attackers can easily intercept and decrypt secure traffic.
Chet Wisniewski, a security researcher with UK based Sophos said that all the user needs to do is to take their phone into a public wi-fi hotspot and they are toast, he said.
Now Apple really has little excuse for this particular security howler. The nine-year-old bug was disclosed by Moxie Marlinspike in 2002. He created sslsniff that same year as a proof-of-concept demonstration of a “man-in-the-middle” attack using rogue certificates. Microsoft patched the bug in Windows’ cryptographic component in 2002.
When Apple wrote the code it failed to check SSL vulnerabilities and didn’t include any patches.
On a whim, Marlinspike recently issued a revision to his “sslsniff” traffic sniffing tool that allows a user to intercept SSL traffic. He noted that iOS devices became wide open.
Wisniewski said that it was so easy to use that his mum could use it to crack unpatched iPhones.
Apparently when Jobs was releasing the phone the software contained a feature where its SSL certificate parsing did not bother to check the basicConstraints parameter of certificates in the chain.
If a hacker signed a new certificate using a legitimate end entity certificate they could gain a ‘valid’ certificate for any domain.
Wisniewski confirmed the bug by using a legitimate certificate for his own website to create a valid certificate for Paypal. He could have intercepted others’ iOS-generated traffic to the real PayPal site and steal their usernames and passwords.
Wisniewski said the flaw had been in iOS since day one. If hackers had tried it they would have only caught iPhone users. Windows users would have had browser warnings of an invalid certificate and the site would have been flagged. Apple was just lucky that no one thought to target iOS users instead.