Tag Archive: iPhone Unlocking


Apple Fixes “Fundamental” SSL Bug in iOS 7

Apple quietly released iOS 7.06 late Friday afternoon, fixing a problem in how iOS 7 validates SSL certificates. Attackers can exploit this issue to launch a man-in-the-middle attack and eavesdrop on all user activity, experts warned.

“An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS,” Apple said in its advisory.

Users should update immediately.

Watch Out for Eavesdroppers
As usual, Apple didn’t provide a lot of information about the issue, but security experts familiar with the vulnerability warned that attackers on the same network as the victim would be able to read secure communications. In this case, the attacker could intercept, and even modify, the messages as they pass from the user’s iOS 7 device to secured sites, such as Gmail or Facebook, or even for online banking sessions. The issue is a “fundamental bug in Apple’s SSL implementation,” said Dmitri Alperovich, CTO of CrowdStrike.

The software update is available for the current version of iOS for iPhone 4 and later, 5th generation iPod Touch, and iPad 2 and later. iOS 7.06 and iOS 6.1.6. The same flaw exists in the latest version of Mac OS X but has not yet been patched, Adam Langley, a senior engineer at Google, wrote on his ImperialViolet blog. Langley confirmed the flaw was also in iOS 7.0.4 and OS X 10.9.1

Certificate validation is critical in establishing secure sessions, as this is how a site (or a device) verifies that the information is coming from a trusted source. By validating the certificate, the bank website knows that the request is coming from the user, and is not a spoofed request by an attacker. The user’s browser also relies on the certificate to verify the response came from the bank’s servers and not from an attacker sitting in the middle and intercepting sensitive communications.

Update Devices
It appears Chrome and Firefox, which uses NSS instead of SecureTransport, aren’t affected by the vulnerability even if the underlying OS is vulnerable, Langley said. He created a test site at https://www.imperialviolet.org:1266. “If you can load an HTTPS site on port 1266 then you have this bug,” Langley said

Users should update their Apple devices as soon as possible, and when the OS X update is available, to apply that patch as well. The updates should be applied while on a trusted network, and users should really avoid accessing secure sites while on untrusted networks (especially Wi-Fi) while traveling/

“On unpatched mobile and laptop devices, set ‘Ask to Join Networks’ setting to OFF, which will prevent them from showing prompts to connect to untrusted networks,” wrote Alex Radocea, a researcher from CrowdStrike.

Considering recent concerns about the possibility of government snooping, the fact that iPhones and iPads were not validating certificates correctly can be alarming for some. “I’m not going to talk details about the Apple bug except to say the following. It is seriously exploitable and not yet under control,” Matthew Green, a cryptography professor at Johns Hopkins University, posted on Twitter.

Check out this video from News Loop:

 

Source: PC World Security Watch

Apple poised for iPhone 5 launch

Technology giant Apple has fuelled rumours it will launch a new version of its best-selling iPhone by announcing a “special event” only hours before two of its competitors unveiled two new devices.

The secretive firm sent out invitations for the event next week ahead of Wednesday’s announcement in New York by Nokia and Microsoft where they revealed details of two new phones which will run on Microsoft’s Windows operating system.

The Nokia Lumia 920 and Nokia Lumia 820 are the Finnish company’s attempt to claw back lost ground since it lost its position as the world’s biggest phonemaker to Samsung.

The firm described the 920 as its “flagship” product and it boasts a high powered camera described as the equivalent of “a standalone SLR camera” and can be recharged without being plugged in.

The Apple emails, sent on Tuesday to selected journalists, invite them to an event on Wednesday September 12 and includes the line “it’s almost here”.

It also features a figure 12 with a shadow that appears to be the number 5 – seemingly confirming the company will announce the arrival of the iPhone 5.

The events typically involve Apple executives unveiling new products at their California base – which are carried by videolink live to a central London location.

It is around a year since the firm unveiled the iPhone 4S complete with voice recognition software and an A5 chip allowing it to use much faster graphics for gameplay and to download data twice as fast.

The 4S also has an eight megapixel camera with five lenses, one more than the iPhone4, which results in sharper pictures and allows users to take HD video.

The new phone is expected to sell well. Thousands of gadget fans queued to get their hands on the iPhone 4S when it first went on sale.

Source: The Press Association