We weren’t kidding when we said that the Internet was abuzz with internet security concerns in a recent blog about password management, and Friday made that all the more clear as Apple released iOS 7.0.6. The update was released quietly, simply stating that prior to the update, “an attacker with privileged network position may capture or modify data in sessions protected by SSL/TLS.” What does this mean to those of us who aren’t fluent in the lingo? Update your iPhone immediately!
But what does this all mean if you’re not super techie? We’ll spell it out for you.
SSL? TLS? What’s All That?
A Secure Sockets Layer (SSL) is there to protect the connection between your browser and the website servers that you browse online. It makes sure that all of the communication between your device and networks like Facebook, Gmail, and online retailers is kept private. Transport Layer Security (TLS) is the next evolution of SSL—just a new and improved tool that’s meant to keep your information safe. You might have noticed when you log into your online banking, for example, that there’s a tiny lock icon in your search browser—that’s the SSL/TLS letting you know that your connection is secure.
This security protocol is like a body guard for your personal information: it verifies that networks you’re trying to connect to confirm that they’re who you think they are before they’re allowed access to your details. So what happens if your SSL/TLS security fails? Well, if your browser can’t confirm that it’s sharing your information with a secure server, then it can share your information with anyone who asks for it. This opens the virtual door to something called a Man in the Middle Attack, and that's exactly what iOS 7.0.6 has been doing.
A Man in the Middle Attack?!
Also known as an MitM for short, it’s basically someone who’s listening in on your digital conversations. Imagine you’re at Starbucks, using their free WiFi. A MitM attacker can use that public network to jump right into your online communications and monitor and record everything you’re doing in real-time.
Essentially, a complete stranger can pull up a chair, kick back, and relax while they take down all of your information that you’re sharing online from your phone while you think your connection is secure.
While this is an oversimplified illustration, it shows what happens when your security is compromised. Attacks like this are usually made too difficult for a hacker to bother with, because of the SSL/TLS in place. However, because of the glitch in Apple’s iOS, the “privileged network position” they’re talking about is simply any public network that you connect to.
What does that mean? It means that guy sipping a latte in the chair next to you could very well be tracking everything you’re doing online right now.
How Long Has This Been a Problem?
The bug has seemingly been ongoing for a year and a half, which is seriously disturbing. And although it’s been patched for iOS, it’s still a problem for OS X, leaving Mac users vulnerable. As long as you’ve updated to 7.0.6, your iPhone, iPad and iPod will be safe, so at least there’s that.
Apple’s not talking too much about how this all happened, which certainly makes sense. For those of you who are super tech savvy, Adam Langley of Google explains the bug in detail in his blog, but the gist of it is that there was one extra line amidst almost 2,000 in total.
How Can I Protect Myself?
For those of you using an iPhone 5S, 5, 4S, or 4, download iOS 7.0.6 right now. If you’re using a 3GS or an older iPod touch, download iOS 6.1.6.
For those of you using OS X, unfortunately there’s no real fix. It’s especially problematic now that the bug has been all over the news, and there’s no patch. If bad guys out there weren’t already aware of the vulnerability, they certainly are now. Chrome and Firefox are both unaffected by the bug on OS X, so if you’re going to browse the internet, it’s best do use either of those browsers. Also, make sure you only access the internet from secured networks. Avoid connecting to public networks from your computer, but if you have to, don’t do anything that requires you to give out your personal information (logging into email/social networks, online shopping, etc.).