Stopping Rotten Apple Man-in-the-Middle Attacks
By Lisa Phifer
7/3/2014, 10:07 AM
If you are an apple iOS user, take a few minutes right now to install last week’s patch to fix a glaring SSL certifiate handling error that left over 700 million iPhones, iPads, Apple TVs and Macs vulnerable to Man-in-the-Middle (MitM) attack.
Here’s why: The Apple iOS 6.x and 7.x SSL/TLS library function SSLVerifySignedServerKeyExchange, used by applications such as Safari to validate SSL server certificates, has been asleep on the job for the past six months. Due to the unfortanate repitition of one line of code “goto fail,” the function stops checking certificate validity about halfway through, jumping right over code which should verify the server’s signature. The CVE that details this vulnerability is futher summarized in a recent National Vulnerability Database release.
As a result, SSL clients on devices running Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 may connect to phony SSL servers without detection. This makes it easy for attacker to masquerade as a legit SSL server and perform a plethora of MitM attacks, from intercepting supposedly-encrypted data to hijacking supposedly-authenticated TCP sessions.
Open WLANs make for an especially good MitM attack venue, since phony servers can be hosted on Evil Twin access points (APs). However, MitM attacks can also be facilitated by ARP redirection and DNS cache poisoning. Once an SSL client’s traffic is routed to the phony SSL server, last week’s iOS bug renders the recommended practice for avoiding MitM attacks – mandatory strong server authentication – ineffective.
The impact of this error is fairly broad because any application which uses this function shares this vulnerability – including not just Safari but any iOS application that rides over SSL/TLS. Moreover, this vulnerability can’t be mitigated by adding another form of encryption, such as VPN tunneling. Client devices must be updated to eliminate this trust gap.
Fortunately, news of this patch traveled fast, and wireless carriers quickly made Apple’s patch available for over-th-air installation. As of today, an estimated 77 percent of iOS devices run version 7.x, while another 17 percent run 6.x, leaving less than 6 percent running older iOS versions unaffected by this bug. Over the past week, approximately 40 percent of iOS devices upgraded to version 7.0.6, which patches this SSL certification validation problem. Unfortunately, that still leaves hundreds of millions of unpatched iOS devices out there.
Organizations with Mobile Device Management in place may have direct visibilty into and control over a fair number of these clients. However, many clients not yet updated are likely to be unmanaged BYODs. WLAN administrators can help to close this gap by using a Wireless IPS to assess their own wireless client population, using 24/7 monitoring to detect the vendor and OS version and then identify and trend the workplace clients that still need to be patched. A Wireless IPS can also be helpful to detect the presence of an Evil Twin AP that may be trying to take advantage of unpatched clients.
While Apple moved quickly to shut down this particular vulnerability, the events of the past week should also serve as a wake-up call. Organizations must be prepared to encourage rapid mobile device OS patching in the aftermath of future major vulnerabilities, and to audit results to enable identification, location, and action to bring those vulnerable stragglers along. NETSCOUT AirMagnet Enterprise customers are already well-positioned, with infrastructure in place to meet these needs – in this case, helping to weed out those remaining rotten apples.
Related WLAN Resources
Visit our resource center for BYOD, download white papers, watch webinars, and more
Continue to our AirWise Community Blog - a resource for wireless network technology