Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

iOS security risks: After the XcodeGhost exploit is Apple's iOS really safer than Android? Plus: What security apps do you need for iPad & iPhone

Karen Haslam | Sept. 24, 2015
In this article we look at some of the security threats that have hit Apple's iOS devices, including XcodeGhost, WireLurker, Masque Attack, the Olag Pliss ransom case and the SSL flaw.

Apple said at the time that the incidents were not the result of iCloud being compromised and hinted that password reuse across multiple online accounts might be the cause of the hijackings.

By mid June, Russian authorities revealed that they had arrested a man and a teenaged boy from Moscow under suspicion that they compromised Apple ID accounts and used Apple's Find My iPhone service to hold iOS devices for ransom.

It's not clear if the two Moscow residents, aged 16 and 23, were behind the Oleg Pliss attacks, but the crime referred to in the press release the Russian Ministry of Interior issued to announce the arrests was of a similar nature to the iPhone ransom attacks.

The two allegedly compromised email accounts and used phishing pages and social engineering techniques to gain access to Apple ID accounts. They are then accused of using the Find My Phone feature to lock the associated devices and send messages to the owners threatening to delete data unless the ransom was paid.

Another technique involved placing advertisements online that offered to rent an Apple ID account with access to a lot of media content. Once users accepted the offer and linked their devices with that account, the attackers then used the Find My Phone feature to hijack them, Russian authorities said.

What was the SSL flaw in Apple's iOS

In February 2014, Apple issued updates to iOS 7 to protect against the security flaw. We recommend that users install the updates.

The SSL problem was with Apple's implementation of a basic encryption feature that shields data from snooping. Most websites handling sensitive personal data use SSL (Secure Sockets Layer) or TLS (Transport Layer Security), which establishes an encrypted connection between a server and a person's computer. If an attacker intercepts the data, it is unreadable.

However, iOS's validation of SSL encryption had a coding error that bypassed a key validation step in the web protocol for secure communications. As a result, communications sent over unsecured Wi-Fi hot spots could be intercepted and read while unencrypted, potentially exposing user password, bank data, and other sensitive data to hackers via man-in-the-middle attacks. They could also supply fake data that makes it appear an authentic web service has been cryptographically verified.

In the case of the SSL flaw, the danger is mitigated somewhat since an attacker must be on the same network as the victim. However, you could be open to attacks if you are using a shared network and someone is snooping on that network. This could be someone in your local Starbucks.

Secured Wi-Fi networks, such as home and business networks with encryption enabled, are not affected.

 

Previous Page  1  2  3  4  5  6  7  8  9  10  11  12  13  14  Next Page 

Sign up for CIO Asia eNewsletters.