Apple security flaw could allow hackers to beat encryption

Reuters
A woman speaks on her iPhone as she walks on a busy street in downtown Shanghai
.

View photo

A woman speaks on her iPhone as she walks on a busy street in downtown Shanghai September 10, 2013. REUTERS/Aly Song

By Joseph Menn

SAN FRANCISCO (Reuters) - A major flaw in Apple Inc software for mobile devices could allow hackers to intercept email and other communications that are meant to be encrypted, the company said on Friday, and experts said Mac computers were even more exposed.

If attackers have access to a mobile user's network, such as by sharing the same unsecured wireless service offered by a restaurant, they could see or alter exchanges between the user and protected sites such as Gmail and Facebook. Governments with access to telecom carrier data could do the same.

"It's as bad as you could imagine, that's all I can say," said Johns Hopkins University cryptography professor Matthew Green.

Apple did not say when or how it learned about the flaw in the way iOS handles sessions in what are known as secure sockets layer or transport layer security, nor did it say whether the flaw was being exploited.

But a statement on its support website was blunt: The software "failed to validate the authenticity of the connection."

Apple released software patches and an update for the current version of iOS for iPhone 4 and later, 5th-generation iPod touches, and iPad 2 and later.

Without the fix, a hacker could impersonate a protected site and sit in the middle as email or financial data goes between the user and the real site, Green said.

After analyzing the patch, several security researchers said the same flaw existed in current versions of Mac OSX, running Apple laptop and desktop computers. No patch is available yet for that operating system, though one is expected soon.

Because spies and hackers will also be studying the patch, they could develop programs to take advantage of the flaw within days or even hours.

The issue is a "fundamental bug in Apple's SSL implementation," said Dmitri Alperovich, chief technology officer at security firm CrowdStrike Inc. Adam Langley, a senior engineer at Google, agreed with CrowdStrike that OS X was at risk.

Apple did not reply to requests for comment. The flaw appears to be in the way that well-understood protocols were implemented, an embarrassing lapse for a company of Apple's stature and technical prowess.

The company was recently stung by leaked intelligence documents claiming that authorities had 100 percent success rate in breaking into iPhones.

Friday's news suggests that enterprising hackers could have had great success as well if they knew of the flaw.

(Reporting by Joseph Menn; Editing by Ken Wills and Robert Birsel)

Rates

View Comments (88)

Recommended for You

  • Tycoon buys 30 Rolls-Royces for Macau hotel

    A Hong Kong tycoon has placed the biggest ever order for Rolls-Royce cars, agreeing to buy 30 Phantoms to chauffeur guests at a luxury resort he's building in the global gambling capital of Macau. Stephen Hung's $20 million purchase surpasses the 14 Phantoms bought by Hong Kong's Peninsula Hotel in…

    Associated Press
  • Accomplish your career goals

    At Capella University, you can learn the skills you need to succeed. Why wait another day? Get started today.

    AdChoicesCapella UniversitySponsored
  • Tycoon's arrest sends shock wave through Russia

    Tycoon's arrest sends shock wave through Russia MOSCOW (AP) — The arrest of a Russian telecoms and oil tycoon has sent shock waves through the country's business community, with some fearing a return to the dark days of a decade ago, when the Kremlin asserted its power by imprisoning the country's…

    Associated Press
  • Before You Buy Alibaba, Check Out 4 Top China Stocks

    Before You Buy Alibaba, Check Out 4 Top China Stocks While investors gear up for Alibaba Group 's (BABA) hotly anticipated initial public offering, don't forget about other Chinese stocks that are worth keeping an eye on. Today's Young Guns Screen of

    Investor's Business Daily
  • Costco Stores in Canada to Stop Taking American Express

    “The credit card relationship between American Express and Costco Wholesale Canada will not be renewed when it expires” on Dec. 31, the company said today in an e-mail to Canadian customers. The message was attributed to Lorelle Gilpin, vice president of marketing and membership for Costco…

    Bloomberg
  • "The Retiree Next Door": How successful retirees stretch their savings

    "The Retiree Next Door": How successful retirees stretch their savingsBy the time she hit her late 40s, Toni Eugenia wasn’t sure she would ever be able to retire. Eugenia, 56, a pharmacy technician who lived in Houston, was nearly $200,000 in debt and

    Yahoo Finance
  • As Fed takes baby steps, Cramer's trick for profit

    In turn, Cramer says making money in the market, involves looking at the environment through the lens of the Fed. "The trick is to remember that they speak for the common person," Cramer said. "The Fed wants the common person to make money." With that backdrop always in mind, Cramer says it becomes…

    CNBC
  • Play

    Citi, Bank of America Offer Discounted Mortgages

    Citigroup and Bank of America will offer mortgages at discounted interest rates to help borrowers with low incomes or subprime credit. AnnaMaria Andriotis joins MoneyBeat. Photo: Getty.

    WSJ Live
  • Norwich Information Security MS

    Online, accredited, top ranked. NSA Center of Academic Excellence. Recognized by the Department of Homeland Security. Download your free brochure!

    AdChoicesNorwich UniversitySponsored
  • CNBC Anchor Calls Out Fed-Hater Bill Fleckenstein In Startling Shouting Match

    CNBC Bill Fleckenstein of Fleckenstein Capital appeared on CNBC's Futures Now program on Tuesday. Futures Now host Jackie DeAngelis came out swinging, asking Fleckenstein right at the top if he was willing to admit that he had misunderstood monetary policy. Sounding taken aback, Fleckenstein…

    Business Insider
  • Beanie Babies creator's sentence debated in court

    Beanie Babies creator's sentence debated in court CHICAGO (AP) — Federal prosecutors seeking to put the billionaire creator of Beanie Babies in prison for hiding millions in Swiss bank accounts told appellate court judges Wednesday that the toymaker's sentence of probation threatens to erode the…

    Associated Press
  • Apple to unveil new iPads, operating system on Oct. 21 : report

    The company plans to unveil the sixth generation of its iPad and the third edition of the iPad mini, as well as its operating system OS X Yosemite, which has undergone a complete visual overhaul, the Internet news website said. Trudy Muller, a spokeswoman for Apple, declined to comment. The iPad is…

    Reuters
  • Gilead Stock Is Falling On These Drug Setbacks

    Gilead Stock Is Falling On These Drug Setbacks Gilead Sciences (GILD) shares are backsliding Wednesday on news that the patient drop-out rate for hepatitis C drug Sovaldi is quadruple that of clinical trials. In addition, the biotech's Phase 2 study results

    Investor's Business Daily
  • Here's What Mark Cuban Wishes He Knew About Money In His 20s

    Cuban is the owner of the Dallas Mavericks basketball team. Billionaire investor and entrepreneur Mark Cuban is generous with his advice. When we asked him what he wishes he'd known about money in his 20s, he said:

    Business Insider
  • Margaritaville casino owners seek bankruptcy

    The owner of Biloxi's Margaritaville casino has filed for Chapter 11 bankruptcy protection Tuesday, only hours before a hearing where the landlord aimed to seize the property. The filing by MVB Holding LLC in U.S. Don Dornan, a lawyer for landlord Clay Point LLC, said the company had planned to ask…

    Associated Press
  • Master's Degree in Nursing

    CCNE accredited MS in nursing in as few as 18 months online. Learn more today!

    AdChoicesNorwich UniversitySponsored
  • Embraer to sell 50 E-175 jets to Republic in $2.1 billion deal

    Brazil's Embraer SA, the world's third largest commercial planemaker, said on Wednesday it booked a firm order from U.S. The deal, which will be included in Embraer's order book for the third quarter, is valued at $2.1 billion, the planemaker said in a securities filing. The planes will be operated…

    Reuters
  • Play

    What the Fed Meeting Means for Bonds

    Janet Yellen & Co. are expected to hint at their timetable for raising interest rates. Here's how investors should prepare ahead of the meeting.

    WSJ Live
  • SHOE COMPANY: Our CEO Just Disappeared And Most Of The Money Is Gone

    "and like that: he's gone." This is an actual headline from a company press release: "CEO and COO disappeared, most of the company's cash missing." (Via FastFT) In a statement, German-based shoe company Ultrasonic said its CFO,  Chi Kwong Clifford Chan, has been unable to reach the company's CEO,…

    Business Insider
  • Billionaire Investor Says Chinese People Work Harder And Western Companies Could Face Deep Trouble After Alibaba IPO

    Michael Moritz, the chairman of VC firm Sequoia Capital, is a huge fan of Chinese internet companies and reiterated his enthusiasm for the Chinese market in an interview with The Wall Street Journal Wednesday. The billionaire investor described the Alibaba IPO as a “major landmark event” that is as…

    Business Insider
  • Top Analyst Upgrades and Downgrades: AEP, BHP, GE, Incyte, 3M, Tyco, Under Armour and More

    Top Analyst Upgrades and Downgrades: AEP, BHP, GE, Incyte, 3M, Tyco, Under Armour and More Stocks were firm on Wednesday morning ahead of the FOMC meeting outcome. Tuesday’s rally may have sparked higher interest again, and investors are looking for bargains

    24/7 Wall St.
  • Don't buy Alibaba stock: 'Dean of Valuation'

    Investors should steer clear of Alibaba , valuation expert Aswath Damodaran said Wednesday. On CNBC's " Fast Money ," Damodaran, a professor of finance at New York University's Stern School of Business, noted that he was looking at Alibaba stock from the perspective of a long-term investor, not a…

    CNBC
  • 6 Things Debt Collectors Wish You Knew

    The work debt collectors do is not popular, and has become increasingly derided by those who don’t like what we do or simply don’t know the facts about debt collection. Too often, debt collection is painted with a broad brush to create a portrait that isn’t accurate, and doesn’t properly educate…

    Credit.com