Apple, SSL, and the Importance of Updating Your Software

Before we begin: please take a minute to update all of your iOS devices to the latest iOS version, iOS 7.0.6. Do that now. It takes five minutes. I’ll wait.

Done? Good. Here’s why you needed that update: Apple’s iOS and OSX operating systems, the software that makes your iPhone an iPhone and your Mac a Mac, had a coding error that undermined basic security features protecting your data from hackers. Fortunately, Apple was quick to issue a patch (which, may I remind you, should be downloaded now). Coincidentally, the timing of this happened when Mobile World Congress, the largest mobile conference in the world, is taking place and demonstrates that our reliance on mobile technology and the Internet of Things introduces more need than ever for strong security measures.

What Happened?

What experts in the field have theorized is that the flaw was the result of human error; there was an extra line of code in the ecosystem’s Secure Sockets Layer (SSL). This layer essentially acts as a signal that allows a browser, like Safari, to verify its identity to a server. SSL acts as the electronic equivalent of a secret handshake between two people who’ve never met before.

But that extra line of code completely sidelined the secret handshake. Point is: the flaw made it so the SSL encryption couldn’t verify who was who to servers, leaving you, the consumer, open to a “man in the middle” attack.

A man in the middle attack is an attack which lets a person sharing the same network you’re using—say a Starbucks or other public Wi-Fi connection—to read and record any interaction between a user and a website. Sometimes these attackers can pose as either the website, user, or both in order to extract more information—usually for exploitation. In the case of Apple’s security vulnerability, everything from iMessage to mail and iCal were  exposed to this attack. That means any sensitive information, from personal info to financial info, can be intercepted, read and stolen with relative ease.

So Am I Being Hacked Right Now?

In all likelihood: probably not. Man in the middle attacks often require the hacker to share the same Wi-Fi network that you’re using. They need to be close, and those who’re inclined to exploit this bug are often using public Wi-Fi networks to sift through dozens of connections at a time. While it’s not impossible, deploying such an attack on a massive scale is very difficult, even for seasoned hackers.

How Do I Make Sure I’m Not Exposed?

Simple: update your iPhone, iPad and Mac computer as soon as possible. There is a new version of iOS 7 available for download now that solves this issue on iPhones and iPads. Apple has also released an update for the Mac OS, called OS X version 10.9.2. Otherwise, the best thing you can do is to avoid using public Wi-Fi networks, and avoid using the default Mac Safari browser, email client, iCalendar, iMessage and other Apple software products while on public networks.

Here are a few additional tips to keep in mind going forward:

  • Always update: This goes for all software and not just Apple products—always run updates as soon as you can. Staying up to date with the latest version of your software, from a security standpoint, is a necessity. Updates often include security patches and new features that can protect your devices from attacks.
  • Avoid using public Wi-Fi Networks: While convenient, publicly available Wi-Fi connections are often unmonitored and are the frequent targets of hackers. Using a comprehensive security suite, like McAfee LiveSafe™ service can help protect your personal devices, including smartphones, tablets, PCs, and Macs from cybercriminals.
  • Update passwords frequently: By frequently updating your passwords you put up another roadblock in front of hackers. And today there’s very little reason to not update them frequently. McAfee SafeKey, a password manager, included in McAfee LiveSafe, can generate complex passwords, remember them for you and log you into accounts automatically.
Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from Mobile Security

Back to top