Apple hides a serious security flaw behind arcane language
Apple revealed on Friday that its mobile operating system has a critical flaw that could allow hackers and government officials to intercept ostensibly secure communications between the company's smartphones, tablets, and the Web.
The vulnerability allows anyone with access to the same unprotected WiFi network as his target to impersonate secure websites like Facebook or Google and gather information as it travels to those sites. Apple has released an update meant to fix the problem on recent iPhone and iPad models, but older devices and the company's desktop computers are still at risk.
The revelation demonstrates the ease with which digital security can be undermined -- and the extent to which consumers are kept ignorant of significant problems with "secure" tools.
This vulnerability wasn't caused by an attempt to create some breakthrough security tool; it was caused by a faulty implementation of a decades-old industry standard. That ineptitude has compromised the communications of hundreds of millions of consumers around the world. Yet this is the company entrusted with our credit card information, addresses, and thumbprints.
But the vulnerability itself isn't as damning as Apple's unwillingness to clearly communicate the problem to its customers. This is how the company described the flaw and its corresponding update:
Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps. Terms like "privileged network position," "sessions protected by SSL/TLS," and "restoring missing validation steps" are gobbledygook to most consumers. Apple might as well have said that its magic portal may have been vulnerable to demonic infiltration, because its doohickey wasn't properly communicating with the gizmo or the who's-a-what's-it.
The good news is that many of Apple's customers probably installed the update without question. (Apple's software updates are often installed quite quickly, even with major overhauls like those made to iOS 7. I doubt consumers hesitated to install a security update.) Assuming the company managed to fix its elementary error, those customers' devices are now secure.
The bad news is, well, as many of Apple's customers installed the update they probably didn't ask things like "How long did Apple know about this problem before it released this update?" or "Should I really believe that this problem has been fixed?" They've simply continued to use their phones and tablets and computers like they always have.
Considering the biggest stories of the last quarter -- Target's data breach, which gave hackers the credit card information of tens of millions of consumers, and the NSA's attempts to surveil essentially anyone with an Internet connection -- such willful ignorance is no longer acceptable.
Apple shouldn't be given a pass for this easily-avoided vulnerability any more than WhatsApp should be heralded as a paragon of privacy despite its own inability to implement basic security measures. These companies are affecting hundreds of millions of people who are using their products to send personal messages, access their financial information, and otherwise interact with the digital world. Lying about those products' security, whether it's outright or through arcane language, isn't something to ignore.
"Apple gives security the finger," indeed.
Reactions from around the Web:
Ars Technica warns against blasé acceptance of this security breach, especially given the popular meme that Macs are somehow impervious to malware and hacking:
It's possible there are mitigations available in OS X that make Macs less susceptible to attacks, but until there is more conclusive information available, Mac users should anticipate the very real possibility that TLS encryption in Safari, Mail, and many other apps is susceptible to attacks that are trivial to carry out.Reuters notes that the security flaw might close the gap between independent hackers' ability to access Apple's products and the government's ability to gather information from those same devices:
[Apple] was recently stung by leaked intelligence documents claiming that authorities had 100 percent success rate in breaking into iPhones.
Friday's news suggests that enterprising hackers could have had great success as well if they knew of the flaw. Slate remarks on how easy it is to fix the problem -- just update your iPhone or iPad to the newest version of iOS -- but things didn't work out quite as expected. After successfully updating his iPhone, Phil Plait writes:
The iPad upgrade, though, was something of a disaster. The device disconnected itself in the middle of the upgrade for some reason (I really don’t know why; I had it sitting off by itself on the corner of my desk; all I can think of is the cable got bumped). Interrupting the process is never good, and in this case it totally freaked out my iPad. I lost everything on it and it wouldn’t even show me my home screen![Image adapted from Thinkstock]