IOS vulnerability can compromise secure communications

A RECENTLY DISCLOSED IOS vulnerability can be exploited by attackers to compromise SSL-protected communications on devices that haven't been upgraded to the most recent version of Apple's mobile operating system.

The vulnerability, identified as CVE-2011-0228, was the sole reason for the release of IOS 4.3.5 and IOS 4.2.10 earlier this week. It stems from a bug in the validation of X.509 certificates and allows attackers to spoof SSL-protected websites.

According to security researcher Gregor Kopf of Recurity Labs who discovered the flaw together with Paul Kehrer of Trustwave's Spiderlabs, the IOS implementation of the X.509 standard fails to properly check an important part of public key SSL certificates.

In simpler terms, Apple's mobile platform doesn't check whether it's dealing with a CA certificate or a regular one, and that's a big deal because Certificate Authority (CA) certs can be used for issuing others.

"Not checking the CA bit of a certificate basically means that every end-entity certificate can be used to sign further certificates," Kopf explains. For example, an attacker can legitimately obtain a certificate for a domain they own and use it to sign one for, say, paypal.com. Yikes!

They can then position themselves between a target IOS device and its Internet gateway and spoof the paypal.com website successfully. Because of this vulnerability, the mobile Safari browser would see the rogue certificate as valid and fail to issue a warning.

There are even specialised tools that make pulling off such man-in-the-middle attacks significantly easier. One of them is Moxie Marlinspike's sslsniff tool, which just got updated to support IOS fingerprinting. Launching an attack to intercept all SSL web traffic from a vulnerable Iphone with sslsniff requires just a single command.

Updating to the newly released IOS versions would solve the problem, but a lot of users with jailbroken Idevices probably won't do it. There is a jailbreak method available for IOS 4.3.5, except for the Ipad 2, but it is tethered. This makes it rather impractical, because if your device reboots and you're not near a computer, you're pretty much out of luck.

Users who don't want to upgrade - although they should - are advised to at least avoid accessing sensitive accounts while connecting through open WiFi access points or other untrusted networks, even if those websites have SSL protection. µ