Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sniffer Hijacks SSL Traffic From Unpatched IPhones

Posted by samzenpus on from the patch-your-phone dept.

CWmike writes "Almost anyone can snoop the secure data traffic of unpatched iPhones and iPads using a recently-revised nine-year-old tool, a researcher said as he urged owners to apply Apple's latest iOS fix. If iOS devices aren't patched, attackers can easily intercept and decrypt secure traffic — the kind guarded by SSL, which is used by banks, e-tailers and other sites — at a public Wi-Fi hotspot, said Chet Wisniewski, a security researcher with Sophos. 'This is a nine-year-old bug that Moxie Marlinspike disclosed in 2002,' Wisniewski told Computerworld on Wednesday. On Monday, Marlinspike released an easier-to-use revision of his long-available 'sslsniff' traffic sniffing tool. 'My mother could actually use this,' he said."

14 of 94 comments (clear)

  1. never been used my ass by aeiah · · Score: 2

    " "It's probably been in [iOS] since day one," said Wisniewski, who speculated that even attackers hadn't known of the flaw. "Someone would likely would noticed if it had been used, because every Windows user would have been getting browser warnings [of an invalid certificate] on a public Wi-Fi network even as iPhone users were seeing no such warning." " Does he seriously think you can't filter out non iOS devices and just forward them to the proper site? even a user agent check would suffice

    1. Re:never been used my ass by nedlohs · · Score: 4, Informative

      You can't check the User Agent without feeding them the fake SSL cert first, since it's in the encrpted data.

      You could of course default pass along everything and only act as a man in the middle for https requests from a device that you've already intercepted an HTTP request from to determine it's of the right flavor. But that does make it ever so slightly more difficult.

    2. Re:never been used my ass by crow · · Score: 2

      Yes, but you can use the device's MAC address. It shouldn't be too difficult to determine the ranges used for iPhones.

  2. Re:How can they patch this? by nedlohs · · Score: 2

    Because that isn't how the attack works.

  3. Re:How can they patch this? by spydir31 · · Score: 3, Informative

    No, you're thinking of SSLstrip which methodically strips HTTPS references. This is a different attack, where the client accepts certificates signed by any certificate that has a valid chain

  4. 3G Owners are SCREWED by Anonymous Coward · · Score: 5, Informative

    3G owners can't upgrade past 4.2.1. Looks like they are SOL! Thanks Apple!

    1. Re:3G Owners are SCREWED by spinkham · · Score: 4, Insightful

      iPod touch 2g also.

      It was still being sold as the 8 gig version less than 3 months before the announced last software update.

      The 3g 8gig was being sold around 6 months before the last announced software update.

      I understand not getting feature updates, but why can't we get security updates for a device apple was still selling a year ago?

      --
      Blessed are the pessimists, for they have made backups.
  5. Breaks Jailbreak by tecker · · Score: 3, Insightful

    Problem is that applying this update for something that is not likely exploited in the wild will hose your Unteathered Jailbreak. Reports on twitter are that redsn0w pointed at 4.3.4 (or 4.2.9) will work for getting a tethered Jailbreak. Many jailbreakers likely wont bother.

    Wonder if someone will patch this like they did the PDF exploit and put it on Cydia.

    --
    Procrastinating life a way at a rapid rate of speed.
    1. Re:Breaks Jailbreak by dgatwood · · Score: 2

      Here's what I don't understand: why don't the jailbreakers modify the phone to add trust for a Cydia root cert (or whoever's), then use that to provide free certs for devs to sign apps on Cydia, etc.? That would provide the same flexibility as a full jailbreak, but without the security impact. Or heck, add trust for all the major CAs so that any standard code signing cert will work.

      The problem is that jailbreaking started out as a hack and still hasn't grown up from being a hack into being a usable tool. Then again, I guess I shouldn't expect usability from an app that presents you with a "Loading data" screen for five minutes while it downloads a description of the entire set of available packages.... Apparently, they've never heard of doing updates on background threads, performing on-demand loading, etc. What a mess.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    2. Re:Breaks Jailbreak by scot4875 · · Score: 2

      Guess what: the phones are already wide open to attack. That's why they're so easily jailbreakable in the first place.

      --Jeremy

      --
      Jesus was a liberal
  6. To be fair... by TehCable · · Score: 2

    "My mother could actually use this" To be fair, his mother is Kevin Mitnick

  7. Wait a minute by psydeshow · · Score: 2

    Did Apple really write a new custom certificate validation stack for iOS? Really?

    And then the developers failed to test it against this basic condition (using a valid certificate to sign a fake certificate)? On a device where you can only connect via wi-fi networks, which are inherently untrustworthy!

    Why, Jobs, why?

    THIS is the kind of gross incompetence that deserves a Congressional investigation. Who was behind this? Was it stupidity or actual malice?

    1. Re:Wait a minute by Synerg1y · · Score: 2

      This is more like it, could a possible backdoor into IOS have been discovered? It seems that something like this would have come to surface a whole lot sooner...

      was this a problem with earlier IOS is the interesting part.

  8. Why exactly by deains · · Score: 2

    Would you be doing anything "secure" at a public wi-fi hotspot? Checking bank details can wait until you get home I'd imagine, or you could hop onto the kinda-more-secure 3G network.