Apple’s recent “goto fail” bug has attracted the attention and concern of many consumers, and rightfully so. This particular vicious exploit allowed hackers to fake a secure connection, which enables phishing attempts that allow scammers to get login information from consumers for social networking, banking, and other important websites.
This bug affected both iOS and OS X devices, meaning that users of all modern Apple computers, smartphones, and tablets are affected.
Version Numbers – Who’s Affected?
First, let’s look at the good news. Apple has patched the vulnerability for iOS, so as long as your mobile Apple device is up-to-date, you’re safe. You can check that your iPhone is updated by going to Settings > General > Software Update. This screen will tell you which version of iOS you’re running and if there’s an update. As of writing, this latest version of iOS is 7.0.6, which contains the update for the goto fail bug. If your iPhone is already Jailbroken you can follow our update walkthrough.
On the desktop side, the bug affects OS 10.9 and later devices, but is patched in OS 10.9.2. Devices running an older version of the operating system aren’t affected. Likewise, portable devices running iOS 5 or earlier aren’t affected. iOS 6 devices need to upgrade to iOS 7 to get the patch.
iPhone SSL “Goto Fail” Vulnerability
Now that you know you’re safe (hopefully), here’s a little more information on what happened, and why it’s important. In order to understand that, it’s necessary to know a little background information. Browsers use a protocol called HTTPS, where the “S” stands for secure. Normal HTTP traffic is unencrypted, meaning that anyone can see any information sent over a network.
When the secure version of HTTP is used, traffic is encrypted, meaning that others on a network can’t see the actual data being sent. If they tried to look at it, all they would see is load of scrambled, meaningless data. HTTPS is used every time you log in to any secure service. This includes email, social networks, and banking websites, among others. When an HTTPS connection is made, each side has to verify that the other side presents a valid security certificate. These security certificates are only issued by a handful of trusted websites, and your browser knows who they are and can check to see if the certificate is valid.
The problem with Apple’s code is that it wasn’t checking properly to see if the certificate was valid. The line “goto fail” appeared twice in Apple’s source code. The first appearance followed a conditional if statement, meaning that the program should only goto the section of code called fail if certain conditions were met. However, the second time the line appeared, the program would execute it every time, meaning that the program always used this section of code.
Even when the security certificate wasn’t validated, the code would go to a certain section allowing the browser to establish a secure connection with a site. The site could be fake, and could then relay entered login information to whoever set up the illegitimate site.
Accidental or Ill-Intentioned Code?
One especially interesting thing about this bug is that some suspect that it was placed there intentionally. Following the security leaks by Edward Snowden, one of the things we learned about the NSA spying efforts was that they had a way around encryption. This simple, innocent looking line of code would allow exactly that, and could allow the NSA to gather login information from suspected terrorists.
However, the code was included in published open source code by Apple, where it could have been caught by anyone. Programmers who have analyzed the situation suspect that the code was there by accident after a recent update, but there’s no way to know for sure. This alleged conspiracy, though unlikely, is one of the things that has driven all the media attention this bug has received.