iPhone Insecurity? You Need to Do This If You're An Apple User


NEW YORK (MainStreet) — On Friday Apple dropped a frightening bomb that could explode in the hands of many millions of iPhone, iPad, and iPod Touch users. A flaw, baked into the latest mobile operating system iOS 7, potentially could give a hacker plain visibility into your email and other messages you otherwise had reason to believe were transmitted in an encrypted (Secure Socket Layer) format.

Guess what: that SSL interface apparently had failed in this iOS version.

It gets worse: Apple also said a similar vulnerability exists is its OS X operating system for desktop and laptop computers.

Apple on Friday issued a patch for its mobile iOS flaw. The OS X patch has yet to be released.

Questions explode: how much risk have you incurred? What do you need to do now? Should you download - and trust -- the patch?

According to CrowdStrike, a security company that has blogged extensively about this iOS vulnerability, in a worst case scenario a criminal could exploit that flaw and literally take control of a victim's device.

In other scenarios, the flood of private data going out of the phone - such as email, Tweets and Web browsing - would be visible to an attacker.

How did this happen? How did Apple fumble security so grievously? Pierluigi Stella, chief security officer at security company Network Box USA, said that the flaw is "the fruit of what appears to be a gross programming oversight. Apple themselves admit that the issue is caused by a 'failure to validate the authenticity of the connection.' Wow Apple; where were you when this code was being written?"

As for your personal vulnerability, do note: this flaw kicks in only if an attacker has control of the same transmission network you are using (typically WiFi, although some researchers say the same access could be gotten by a criminal who has control over a cellular data network). In practical terms, this means if you have used public WiFi - at a coffee shop, in an airport, at a hotel, in a university cafeteria - you may have had data intercepted and an attacker may have gotten significant visibility into your device.

If you never use public WiFi and have only used your carrier's cellular data network, there are no worries.

What if you have walked on the wireless wild side, frequently using WiFi, both to save money and also in many cases to gain speed? That does not mean you have been compromised. What it does mean is that good advice is to think back to the when and where of public WiFi usage - and then did anything unusual happen?

Heavy users of public WiFi are advised by many security experts to download that iOS security patch but also to change all important passwords. Changing the passwords is a prophylactic measure but the truth is, many security experts advise doing it every month anyway, just as a precaution in an era of ever more breaches.

Don't think that because you use a lot of public WiFi that you are necessarily toast. Security expert Philip Lieberman said, "The flaw is real, but the probability of this flaw being exploited is extremely low."

His contention: a hacker would need real skill and a certain amount of luck to exploit that flaw - real as it is - in ways that cause meaningful harm to victims. Lieberman is not dismissing the dangers, and he urged users to download the security patch, but his point is that "the planets need to align" for a criminal to make profitable use of the flaw against a particular user.

You haven't downloaded the patch (it takes just a few minutes)? Advice from Tanuj Gulati, Founder/Chief Technology Officer, Securonix is, "Treat any unpatched device the same way you would treat a public computer."

Don't do banking, don't do anything that requires high security on an unpatched device, he said.

Some experts also advise shifting off Apple's Safari browser, at least temporarily on OS 10 systems.

Bottomline: download the patch, asap, and probably you will be fine. Probably.

--Written by Robert McGarvey for MainStreet

Show Comments

Back to Top