Here's What You Should Know About Apple's Security Weakness

The Citizen's Guide to the Future
Feb. 24 2014 2:28 PM

Here's What You Should Know About Apple's Security Weakness

Do this now.

Screencap by Lily Hay Newman.

Over the weekend you may have heard some stuff about Apple software and a vulnerability that would allow hackers to see into your online soul. You may have been concerned. You may have questioned whether it was safe to do online banking at home from your MacBook Air. Or you may have been totally oblivious because news/the world does not exist on the weekend. Both are reasonable! But now it's Monday so it's time to get down to business and study up ... instead of working.

Lily Hay Newman Lily Hay Newman

Lily Hay Newman is lead blogger for Future Tense.

This seems scary. What's happening?


On Friday night (a favorite time to release bad news masquerading as benign news), Apple released iOS 7.0.6. The posting noted, "For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred." But the update explained, "An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS. ... This issue was addressed by restoring missing validation steps." What they're trying to say is that validation steps for a standard encryption method weren't happening, so the encryption wasn't secure and people might have been able to see in. Put even more simply: bad things.

The encryption process in question here is Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Both work to encrypt the communication between a browser, like Apple's Safari, and the servers that drive websites. People often describe this type of encryption as a "digital handshake," where both sides meet and swap verification keys as a quick trust check. In this case with iOS, a mistake in the code was causing the encryption to skip a bunch of verifications if an initial test was successful, which it pretty much always would be. This meant that your browser would think it had a secure connection even though it really could be communicating with any server, including a malicious one.

Great, now this seems even scarier. What should I do?

You should update the software on your iDevices right now. Don't wait. Apple's 7.0.6 update is a patch that resurrects the steps in the SSL/TLS verification system that have been missing. It prevents you from being vulnerable to the type of attack hackers could use to peer into your digital life. They're called "man in the middle" attacks, and they basically route you through a malicious server for surveillance on your way to the site you wanted, like your bank's website. That way the hackers can see everything you're doing and collect the data over time if they want to.

You can tell that this vulnerability is serious because Apple released an iOS 6 update called 6.1.6 that will fix the flaw for people using iDevices that are too old to upgrade to iOS 7. Those are devices Apple wants people to replace, running an operating system Apple is trying to phase out. And it's still getting this fix. That means this is a very real threat.

The issue right now is that Macs running OS X are affected as well, and Apple hasn't released a fix yet. Spokesperson Trudy Muller told Reuters on Saturday, "We are aware of this issue and already have a software fix that will be released very soon." When it does arrive, you should download that update on all of the iMacs and assorted MacBooks you can. And tell your friends.

And in the meantime?

Once you've updated your iDevices, you'll be good to go on those. On your Mac you should start browsing with Chrome, Firefox, or another third-party browser if you don't already. Avoid Safari because it is known to be compromised. As Forbes reports, other apps like iMessage, Apple's Twitter client, Mail, Facetime, iCal, and more may be affected. Try to do everything you can in a non-Safari browser or on an updated iDevice, and use secure networks (your home Internet, not the free Wi-Fi at Starbucks) until a patch comes out.

Maybe I don't want to know, but how long has this been going on?

Yeah, you don't want to know. This vulnerability has apparently existed since iOS 6, which was released in September 2012. So about 18 months. Additionally, Apple reserved the Common Vulnerabilites and Exposures code (a public index of vulnerabilities) for this security flaw on Jan. 8. It's not clear what the company knew when, but that was almost seven weeks ago.

This is just depressing. Are we done now?

Yes. Oh, one more thing. Today is Steve Jobs' birthday.

Future Tense is a partnership of SlateNew America, and Arizona State University.

Lily Hay Newman is lead blogger for Future Tense.



Meet the New Bosses

How the Republicans would run the Senate.

The Government Is Giving Millions of Dollars in Electric-Car Subsidies to the Wrong Drivers

Scotland Is Just the Beginning. Expect More Political Earthquakes in Europe.

Photos of the Crowds That Took Over NYC for the People’s Climate March

Friends Was the Last Purely Pleasurable Sitcom

The Eye

This Whimsical Driverless Car Imagines Transportation in 2059

Medical Examiner

Did America Get Fat by Drinking Diet Soda?  

A high-profile study points the finger at artificial sweeteners.

I Wrote a Novel Envisioning a Nigerian Space Program. Then I Learned Nigeria Actually Has One.

A Futurama Writer on How the Vietnam War Shaped the Series

  News & Politics
The World
Sept. 22 2014 11:10 AM Protesters and Counterprotesters at Moscow’s Big Anti-War March
Business Insider
Sept. 22 2014 9:39 AM Adrian Peterson Has a Terrible Contract, and Cutting Him Would Save the Vikings a Lot of Money
The Eye
Sept. 22 2014 9:12 AM What Is This Singaporean Road Sign Trying to Tell Us?
  Double X
The XX Factor
Sept. 19 2014 4:58 PM Steubenville Gets the Lifetime Treatment (And a Cheerleader Erupts Into Flames)
  Slate Plus
Sept. 22 2014 8:08 AM Slate Voice: “Why Is So Much Honey Clover Honey?” Mike Vuolo shares the story of your honey.
Sept. 21 2014 9:00 PM Attractive People Being Funny While Doing Amusing and Sometimes Romantic Things Don’t dismiss it. Friends was a truly great show.
Future Tense
Sept. 22 2014 7:47 AM Predicting the Future for the U.S. Government The strange but satisfying work of creating the National Intelligence Council’s Global Trends report.
  Health & Science
Bad Astronomy
Sept. 22 2014 5:30 AM MAVEN Arrives at Mars
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.