Ask The Cyber Security Expert: Should I worry about the recent Apple security vulnerability?
Its rare for Apple to release a dedicated security patch, but they have just done so. Reporting on the internet suggest it is vitally important you pay attention. We poked The Cyber Security Expert into wakefulness on a Sunday to see what he thinks.
Whats the problem?
This. In essence, it is possible for someone to impersonate a secure website, fooling Apple devices into believing they are connecting to a legitimate website. Now, the mechanism that is broken is something that most end users don’t even know exists, and which is part of a structure of trust that is flawed anyway (but thats for another day). For now its important to realise that the protocols that make up the internet offer absolutely nothing in the way of authentication or confidentiality – that is to say all information presented to a device is assumed to be accurate and there is nothing baked in to the internet itself to stop snooping.
Um. Isn’t that a major issue?
Yes, a huge one. And it’s why things like this Apple flaw happen. Essentially we’ve built a multi billion dollar social and business community on top of a set of protocols designed to be extremely resilient in the event of a nuclear war.
To get round this problem we have built mechanisms that rely on trust that is confirmed offline, through something called Certificate Authorities. This provides a means for your browser to confirm you really are connecting to your bank when you go to myonlinebanking.com.
Its a key component of this trust verification process that is broken on Apple devices.
So what does this mean for me?
If you often sit in a cafe and log into your bank, Facebook, or the William Shatner Fan Club using their wifi there is a means for your computer to check it was really connecting to the intended website before you started giving any confidential details (user name and password, or the ode to Shatner you’ve been working on).
On Apple devices that mechanism is broken, meaning someone malicious sitting in the cafe with you and connected to the same wifi could masquerade as the website you want, and essentially sit in the middle of your communications stealing your bank details and professed love of the original Trek (you may care about some data more that others).
At home, or work, on a network you trust the risk is lower. It is non trivial to intercept communications if you can’t get access to the network, but trivial if you can. This is what makes your local free wifi providing cafe a risk, but your home wifi much safer (presuming you require a password to access your home network and don’t leave it open for the neighbours or passerby to use).
What can I do?
This problem appears to have been fixed on iOS devices. So don’t delay and update now. I just did my iPhone 5S and it worked fine. iPad next.
Sadly there is currently no fix for Mac OS X. My Macbook Air running 10.9.1 is apparently vulnerable – I tested it using Safari and visiting this site.
Chrome and Firefox on my Mac reported not vulnerable. On balance I’d recommend away staying away from any Mac provided software on untrusted networks until a fix is released (which is apparently coming soon). Chrome or Firefox are good alternative browsers (though test for yourself of course – your machine may have a different configuration to mine), and Mozilla Thunderbird a good alternative mail client (yes, the mail client may well be vulnerable too, as it apparently uses the same code).
As always, if you have questions please get in touch! Find us on twitter, or use the contact form.
The Cyber Security Expert