Here's What You Should Know About Apple's Security Weakness

The Citizen's Guide to the Future
Feb. 24 2014 2:28 PM

Here's What You Should Know About Apple's Security Weakness

apps2
Do this now.

Screencap by Lily Hay Newman.

Over the weekend you may have heard some stuff about Apple software and a vulnerability that would allow hackers to see into your online soul. You may have been concerned. You may have questioned whether it was safe to do online banking at home from your MacBook Air. Or you may have been totally oblivious because news/the world does not exist on the weekend. Both are reasonable! But now it's Monday so it's time to get down to business and study up ... instead of working.

Lily Hay Newman Lily Hay Newman

Lily Hay Newman is lead blogger for Future Tense.

This seems scary. What's happening?

Advertisement

On Friday night (a favorite time to release bad news masquerading as benign news), Apple released iOS 7.0.6. The posting noted, "For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred." But the update explained, "An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS. ... This issue was addressed by restoring missing validation steps." What they're trying to say is that validation steps for a standard encryption method weren't happening, so the encryption wasn't secure and people might have been able to see in. Put even more simply: bad things.

The encryption process in question here is Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Both work to encrypt the communication between a browser, like Apple's Safari, and the servers that drive websites. People often describe this type of encryption as a "digital handshake," where both sides meet and swap verification keys as a quick trust check. In this case with iOS, a mistake in the code was causing the encryption to skip a bunch of verifications if an initial test was successful, which it pretty much always would be. This meant that your browser would think it had a secure connection even though it really could be communicating with any server, including a malicious one.

Great, now this seems even scarier. What should I do?

You should update the software on your iDevices right now. Don't wait. Apple's 7.0.6 update is a patch that resurrects the steps in the SSL/TLS verification system that have been missing. It prevents you from being vulnerable to the type of attack hackers could use to peer into your digital life. They're called "man in the middle" attacks, and they basically route you through a malicious server for surveillance on your way to the site you wanted, like your bank's website. That way the hackers can see everything you're doing and collect the data over time if they want to.

You can tell that this vulnerability is serious because Apple released an iOS 6 update called 6.1.6 that will fix the flaw for people using iDevices that are too old to upgrade to iOS 7. Those are devices Apple wants people to replace, running an operating system Apple is trying to phase out. And it's still getting this fix. That means this is a very real threat.

The issue right now is that Macs running OS X are affected as well, and Apple hasn't released a fix yet. Spokesperson Trudy Muller told Reuters on Saturday, "We are aware of this issue and already have a software fix that will be released very soon." When it does arrive, you should download that update on all of the iMacs and assorted MacBooks you can. And tell your friends.

And in the meantime?

Once you've updated your iDevices, you'll be good to go on those. On your Mac you should start browsing with Chrome, Firefox, or another third-party browser if you don't already. Avoid Safari because it is known to be compromised. As Forbes reports, other apps like iMessage, Apple's Twitter client, Mail, Facetime, iCal, and more may be affected. Try to do everything you can in a non-Safari browser or on an updated iDevice, and use secure networks (your home Internet, not the free Wi-Fi at Starbucks) until a patch comes out.

Maybe I don't want to know, but how long has this been going on?

Yeah, you don't want to know. This vulnerability has apparently existed since iOS 6, which was released in September 2012. So about 18 months. Additionally, Apple reserved the Common Vulnerabilites and Exposures code (a public index of vulnerabilities) for this security flaw on Jan. 8. It's not clear what the company knew when, but that was almost seven weeks ago.

This is just depressing. Are we done now?

Yes. Oh, one more thing. Today is Steve Jobs' birthday.

Future Tense is a partnership of SlateNew America, and Arizona State University.

Lily Hay Newman is lead blogger for Future Tense.

TODAY IN SLATE

Politics

Meet the New Bosses

How the Republicans would run the Senate.

The Government Is Giving Millions of Dollars in Electric-Car Subsidies to the Wrong Drivers

Scotland Is Just the Beginning. Expect More Political Earthquakes in Europe.

Cheez-Its. Ritz. Triscuits.

Why all cracker names sound alike.

Friends Was the Last Purely Pleasurable Sitcom

The Eye

This Whimsical Driverless Car Imagines Transportation in 2059

Medical Examiner

Did America Get Fat by Drinking Diet Soda?  

A high-profile study points the finger at artificial sweeteners.

The Afghan Town With a Legitimately Good Tourism Pitch

A Futurama Writer on How the Vietnam War Shaped the Series

  News & Politics
Photography
Sept. 21 2014 11:34 PM People’s Climate March in Photos Hundreds of thousands of marchers took to the streets of NYC in the largest climate rally in history.
  Business
Business Insider
Sept. 20 2014 6:30 AM The Man Making Bill Gates Richer
  Life
Quora
Sept. 20 2014 7:27 AM How Do Plants Grow Aboard the International Space Station?
  Double X
The XX Factor
Sept. 19 2014 4:58 PM Steubenville Gets the Lifetime Treatment (And a Cheerleader Erupts Into Flames)
  Slate Plus
Tv Club
Sept. 21 2014 1:15 PM The Slate Doctor Who Podcast: Episode 5  A spoiler-filled discussion of "Time Heist."
  Arts
Television
Sept. 21 2014 9:00 PM Attractive People Being Funny While Doing Amusing and Sometimes Romantic Things Don’t dismiss it. Friends was a truly great show.
  Technology
Future Tense
Sept. 21 2014 11:38 PM “Welcome to the War of Tomorrow” How Futurama’s writers depicted asymmetrical warfare.
  Health & Science
Bad Astronomy
Sept. 22 2014 5:30 AM MAVEN Arrives at Mars
  Sports
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.