Apple’s iOS ― long reputed for its inability to be hacked ― has been hacked. An update released about a week prior fixed a gaping hole in the mobile phone’s operating system that allowed hackers and spies to infiltrate iPhones and steal sensitive data; the desktop OS update will follow shortly. So if you haven’t yet updated your iOS, hurry up and do it! Yet, the inevitable question that should be on everyone’s mind is: how could this happen in the first place?
The issue affects all operating systems across all Apple products
The bug
According to the security firm CrowdStrike, one of the first to publish information on the patch, a bug in both variants of the operating systems allowed hackers to bypass the verification that websites use to encrypt sensitive information called SSL/TLS.
SSL/TLS is what’s responsible for encrypting the data exchange that occurs between users and their e-mail providers, social networks, and even financial institutions; this is how most sensitive web traffic is kept private. Without a verification system in place, hackers gained the ability to phish across browsers on Apple products, creating artificial websites that look exactly like the real deal and fool users into entering usernames, passwords, and credit card details.
The resolution
I reiterate the recommendation I made earlier for fixing the bug: update your phone immediately! Apple has kindly provided an update for iOS 6 and iOS 7, not forcing iOS 6 users to upgrade to 7 just to obtain the patch. An update is available for Apple TV as well, but Mac users will have to wait a wee bit longer. CrowdStrike suggests users turn off the “Ask to Join Networks” setting on their unpatched mobile device and computers to avoid joining open public WiFi networks, networks which lack the security of their password protected brethren or even wireless 4G network.
Be aware that you’re still not out of the fire even if you’ve conformed to the latest update. Any information phished from will remain compromised. So take the second precautionary measure and change all pertinent passwords ever inputted on the Apple device.
The cause
Security experts have formed two leading speculations as to the cause of the bug. The first suggests that the bug was actually a backdoor implanted by the NSA to gain access to iPhone devices as was revealed by the NSA document leaks provided by former NSA contractor Edward Snowden.
The second school of thought indicates that the bug may originate from a duplicate line of code overlooked by some incompetent Apple employee, implying that Apple is lax in verifying the integrity of its code. Google Engineer Adam Langley points out that if this were the case, troubleshooting the bug would be an ordeal. “This sort of subtle bug deep in the code is a nightmare. I believe that it's just a mistake, and I feel very bad for whoever might have slipped in an editor and created it.”
Despite the multiple allegations, Apple remains quiet, citing that it does not discuss internal investigations for sake of the customer security. “For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.”
To a large extent, there’s no telling how information much was stolen if the bug’s existed for the last 18 months. Do yourself a favor and take the necessary precautions.
Story via Washington Post
Advertisement
