Apple Security Flaw Could Allow Hackers to Beat Encryption

The encryption could be defeated by hackers because of Apple security flaw that could allow attackers have access to sites such as Gmail and Facebook.

SSL, or Secure Sockets Layer, is one of the most basic forms of encrypting Internet traffic. Photo: sneurgaonkar/ Flickr

On Friday the tech giant said that hackers could gain access to the information that is supposed to be encrypted, all because of a main defect in Apple’s software for mobile devices. Some experts believed that Mac computers were even more exposed.

If attackers interfere into a mobile user’s network, such as by sharing the same unsecured wireless service offered by a restaurant, they could see or alter exchanges between the user and protected sites such as Gmail and Facebook. Governments with access to telecom carrier data could do the same, reports Reuters.

“It’s as bad as you could imagine, that’s all I can say,” said Johns Hopkins University cryptography professor Matthew Green.

Apple has been mum regarding specific details of the bug, and Apple didn’t explain how or when exactly it found out about the flaw, nor did it say whether the flaw was being exploited. So for that reason, it’s difficult to gauge the magnitude of the situation. However, a statement on its support website was rather straightforward, saying the software “failed to validate the authenticity of the connection.”

Apple did not reply to requests for comment. The flaw appears to be in the way that well-understood protocols were implemented, an embarrassing lapse for a company of Apple’s stature and technical prowess. The company was recently stung by leaked intelligence documents claiming that authorities had 100 percent success rate in breaking into iPhones.

“It has the potential to be a very serious issue,” said Jonathan Zdziarski, an iOS forensics expert. But he emphasized that many of the conclusions we can draw are only speculation, since Apple only vaguely and briefly described the vulnerability.

Apple on Friday released the latest update of its mobile operating system that fixes an SSL connection issue. The SSL encountered some issues about the authenticity of the connection and the latest update fixes that by adding the missing steps required in the validation process, the company said in an update description page.

Without the fix, a hacker could impersonate a protected site and sit in the middle as email or financial data goes between the user and the real site, Green said. Because spies and hackers will also be studying the patch, they could develop programs to take advantage of the flaw within days or even hours.

The patch is also available for older versions of Apple’s operating system, with an iOS 6.1.6 update. The fix comes weeks after another minor iOS 7 update, which had to do with network errors in China.

Apple is expected to announce its next biggest update, iOS 7.1 next month. Reports have it that the upcoming OS version has already hit beta testing. The update will bring a slew of changes to iOS 7 including natural-sounding updates to Siri’s Australian English, U.K. English, Japanese and Mandarin Chinese voices, according to iOS 7.1 beta 5 download notes.

Other features include addition of Shift and Caps lock key on the keyboard, new wallpaper option, tweaked Calendar app, speed improvements and new version of Apple TV beta software, reports MacRumors.

Share this article

We welcome comments that advance the story directly or with relevant tangential information. We try to block comments that use offensive language, all capital letters or appear to be spam, and we review comments frequently to ensure they meet our standards. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Coinspeaker Ltd.