Apple Patches Serious SSL Exploit That Could Have Exposed OS X, iOS Users to NSA Snooping

Apple, Inc. (AAPL) is the master of trying minimize image damage when it comes to security problems, but as its products have become more popular, rising numbers of attacks have forced it to move from inaction with a helping of arrogant denial to a more responsible patching pace.

I. Copy, Paste, and Facepalm

On Friday Apple rolled out an iOS update for its iPods, iPhones, and iPads  — iOS 7.0.6. Unlike some past minor updates, this release consisted of a single fix under the byline “data security”.

This turned out to be a whopper of a one-line bug.

The bug damaged encryption on Macs and iOS devices alike.
Like Microsoft Corp. (MSFT) Apple is moving towards common libraries between iOS (mobile) and OS X (traditional PC) — something Linux has long made standard.  As this error was in the common library (sslKeyExchange.c) that handled SSL certificates, it basically endangered encryption on all of the core services of OS X and iOS, plus whatever services you might visit via the internet or third party apps.  Literally everything was at some risk.

See if you can spot the bug.

In C-language, if the statement following an if is unbracket, it’s assuming that the conditional action is only a single semicolon-terminated statement.  So the author likely copied and pasted on accident a second failure jump.  This statement is always executed if it gets past the second conditional, meaning that the third conditional is never evaluated.
 
So assuming the initial check passed a pass is stored in err, and skipping the validation the code thinks it has a valid certificate.
 
II. Put Your Trust in me
 
SSL Certificates work kind of like a driver’s license.  If a cop pulls you over they can tell instantly that you’re old enough to be driving, what state you’re a resident in, your address, your trustworthiness (based on your criminal history), etc.
 
But what if you gave a fake ID?  You need a way of validating that identification in real time.  For a cop that might mean visually confirming the face matches the license and calling in to a dispatcher to run the license through a database to look for discrepancies.  For SSL it involves exchanging keys to establish trust and that your certificate is real.
 
But due to the error the process of validating the certificate was skipped, meaning that if it looked like the certificate was valid it would trust whatever you sent after that.

[Image Source: Podgraphics]
That allows an attacker to spot the communication (via packet sniffing) and launch a fake response made to appear to have originated from the secured server. 
 
So-called man-in-the-middle attacks are difficult to do remotely for a couple of reasons.  First, many communications are time-sensitive meaning that you will need to simulate the real response time in order to successfully impersonate the target, which generally is only possible if you’re close to the target or source.
 
Second you must be able to gather enough traffic in real time to identify users with specific platforms, so as not to reveal your malicious activity by attacking properly protected targets.  In principle this further limits you to being close to the victim.  Lastly, you must be on a point you share unencrypted access to that the target is on.  That adds one more restriction to casual hackers, although of course a superpowered hacker like the U.S. National Security Agency (NSA) might have the resources to monitor unencrypted fiber-optic links between data centers.
 
Obviously losing all encryption and potentially falling victim to mockups of websites that steal your password is very bad news.  And what’s worse this vulnerability has been in the wild since it was (presumably accidentally) added in September 2012, with the iOS 6.0 update.  The bug was not present in iOS 5.1.1 or earlier or in OS X 10.7.x (Lion) or earlier.

Adam Langley (“ImperialViolet”) offers a nice example of how he was able to send https traffic from insecure ports thanks to the bug.

It’s unclear whether anyone — aside from whoever within or outside of Apple found the bug — knew of the bug and actively exploited it before the iOS update/patch went live.

III. Did “Goto Fail” Bug Enable NSA Surveillance

But following Friday’s iOS patch the cat was quickly out of the bag.  Thus, for the last several days Apple’s personal computer users have been in a precarious positions as OS X 10.9 Mavericks remained vulnerable and reportedly exploits were occurring in the wild:

Dear everyone: do *not* use Safari until Apple patches their SSL code in Mac OS X. Man-in-the-middle exploits are already in the wild.

— Nick Sullivan (@grittygrease) February 22, 2014

   

The bug reportedly was exploited in the wild at coffee shops and other insecure public locations with lots of Macs. [Image Source: The New York Times]   
On Tuesday, Apple rolled out OS X 10.9.2 which combined the fix with other planned Mavericks improvements such as the ability to make and receive FaceTime calls, as well as improvements to core apps such as Mail, iMessage, and Safari.  Apple released a sister patch for those users still on OS X 10.8 (Mountain Lion).
 
While the issue is now resolved and Apple deserves credit for fixing it almost as quickly as it was made public, that’s not stopping it from drawing some flak over the possibility that the NSA used the bug to gain access to data users thought was encrypted.
 
In fact some are speculating that it planted the bug on purpose to assist in NSA data collection — or was infiltrated by an NSA mole that planted the bug.
 
Slide 6 of an NSA slide deck leaked by The Guardian indicates that Apple’s platforms were added to the PRISM programs’ watch list on October 2012.  While there’s a good chance that the timing of the bug’s introduction and the NSA finding a way to strip away Apple users’ security was not coincidental, Daring Fireball makes a fair argument that the timeline doesn’t necessarily indicate an inside job.  As he points out the NSA likely has automated scanners looking for security mismanagement on various platforms.

[Image Source: NSA via The Guardian]
But then again, the NSA’s leaked slides also do reveal a $250M USD payment scheme to top tech companies to purposefully sabotage global encryption.  Plus the NSA was fond of using legal threats against tech firms to coerce compliance.  So we can’t exactly rule out an inside job either.
 
The good news is now the “goto fail” bug is fixed, and similar bugs should be able to be found and eliminated thanks to Apple’s decision to open up its OS X source with the release of OS X 10.9 Mavericks.
 
In related news, security research this week found a flaw that allowed them to log fingerprint data on the iPhone 5S — a supposedly “impossible” feat.