When Apple iOS HTTPS certificate failures are silent

If you're in any doubt whether last week's iOS update is worthwhile, take heed of this warning.

If you're in any doubt whether last week's iOS update is worthwhile, take heed of this warning. Trustwave, provider of on-demand and subscription based information security and PCI-DSS compliance solutions found during testing by their Spiderlabs team that mobile Safari would accept a faked SSL certificate silently, instead of alerting the user that the certificate received from the remote HTTPS website had an invalid signing authority. 

Key to the issue was the iOS check against the certificate chain. 

Trustwave SpiderLabs alerted Apple immediately and in near record time, on July 25th, Apple released iOS 4.3.5 destined to patch all the hundreds of millions of iPhones, iPads, and iPod Touches out there in the world. 

Officially this includes iPhone 3GS and iPhone 4, iPod touch (3rd generation and later), and iPads. Apple also warned that "Other attacks involving X.509 certificate validation may also be possible." The iPhone 3G is not supported by iOS4.3.X. 

The issue has the potential to impact users who use their iOS devices to connect to banking sites through both the browser and in-built apps, access gmail  and interact with social media sites. X.509 certificates are used to secure SSL/TLS connectivity, and without diligence users clicking on shortened links from Twitter or opening phishing emails may not realise they are being driven to nefarious sites.

The vulnerability was discovered by Trustwave SSL team member Paul Kehrer. Discovering a method which allowed him to sign an SSL certificate which was viewed as valid by iOS, the team was able to craft an SSL certificate and subsequently capture and decrypt the traffic from applications which utilized the provided certificate. No notification is presented to the end user, which allows the attacker to perform this attack without detection.

Spiderlabs warned that the Apple iOS issue was serious, but the speed which Apple addressed the issue provides a very positive illustration of Apple's ability to react quickly to significant code issues. No such protection is available to apps which distribute malware from the Android marketplace or to jailbroken Apple iOS devices.

The recommendation is clear: keep your iPhone up to date with Apple's latest iOS upgrades and don't risk a jailbroken device. Users are looking forward to iOS5 which is reported to manage upgrades without having to backup, wipe then restore the entire device just for a point release upgrade.

AusCERT posted the issue as ESB-2011.0773 [Apple iOS] Apple iOS: Access privileged data.

bad iphone good iphone

BAD iPhone                                              GOOD iPhone



Read more on Security policy and user awareness