When I got my iPhone 4 this past March, the first thing I did was update the Operating System to the latest version of iOS. The second thing I did was visit the local Apple Store as the (failed) update turned my lovely new smartphone into a very expensive paperweight. Apple very kindly replaced my phone with no questions asked, and I was impressed by the customer service at the Apple Store. I did not, however rush home to update to the latest version of iOS.When apple released iOS 4.3.5 on July 25th, I had sufficient motivation to upgrade again. iOS 4.3.5 patches a major security flaw in iOS that could allow an unscrupulous person to conduct a man-in-the-middle attack.
According to Apple, “A certificate chain validation issue existed in the handling of X.509 certificates. An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS. Other attacks involving X.509 certificate validation may also be possible. This issue is addressed through improved validation of X.509 certificate chains,” (http://support.apple.com/kb/HT4824 ).
What this means in laymen’s terms is that the security lock you and I are used to seeing to verify that our bank’s web site is secure could be compromised on iPhones and iPads running iOS versions prior to 4.3.5. An attacker could purchase a legitimate SSL certificate for a website such as hacking.com, and then sign an invalid certificate for yourbank.com.
By intercepting traffic between your browser and your bank’s web site, a man-in-the-middle attacker could provide you with what appears to be a secure connection to your bank, while stealing all the information passed on this now unsecure connection.
Recurity Labs has published a simple web site for you to verify if your iOS device is vulnerable to this exploit. Simply navigate to https://issl.recurity.com using safari on your iPhone, iPad, or iPod Touch.
If you see the web page without a warning, you have this error, and should update your OS immediately:
If, instead, you see a screen that looks like the following, your phone is updated correctly.
iOS 4.3.5 is available now through iTunes, and supports the following devices:
- iPhone 4 (GSM model)
- iPhone 3GS
- iPad 2
- iPod touch (4th generation)
- iPod touch (3rd generation)